Managing Lawful Bases for Data Processing

Managing Lawful Bases for Data Processing

Switch on GDPR Compliance options

Under compliance settings, you need to first switch on GDPR compliance settings if it applies to your business. Users with the Manage Compliance Settings profile permission can enable and view the features available under Setup > Users and Control > Compliance Settings.


To switch on GDPR compliance options

  1. Click Setup > Users and Control > Compliance Settings.
  2. In the Compliance Settings page, toggle on the enable button for Compliance Settings.
  3. From the Enable GDPR compliance for modules drop-down list, select the modules that contain data subject's information.
    You can edit this later from Setup > Users and Control > Compliance Settings > Preferences.
  4. Click Save.

The Lawful Bases

The fundamental principle for handling personal data is that data must be processed lawfully and in a transparent manner. GDPR defines six lawful bases to process data. It is important to understand all of them as  no one lawful basis is better than the others. Choosing the most appropriate basis depends on the purpose of data processing and your business requirements.

  • Consent - When you have consent from the data subject to process their personal data. There must be a deliberate action on the part of the data subject to opt in or give consent.
    Example: Collecting and processing personal data for marketing purposes or for sending newsletters.
  • Contract - When you have a contract with an individual to supply goods or services requested by them. In this case, you process data to fulfill the contract.
    Example: During a contract, when the customer asks for more information via email, the organization processes their personal data to respond to the request.
  • Legal Obligation - When you have to process the data to comply with the law.
    Example: An employee's salary details are needed by a government institution or an investigation requires the processing of the personal data.
  • Vital Interests - When you need to process data to protect someone's life or in an emergency situation.
    Example: Collecting personal details of the people to ensure their safety during an emergency or a fire.
  • Public Tasks - When you need to carry out tasks in the public interest, usually as a government institution, political party, etc.
    Example: As a public authority who processes data for scientific research, surveys, or public health studies.
  • Legitimate Interests - When your organization holds a genuine, legitimate reason to process data and the purpose does not harm the data subject's rights.
    Example: A customer has not paid their invoice and so the company needs to process the customer's data to collect payment. Or, for administrative purposes, when an organization processes an employees' personal data for payroll.

Applying Lawful Bases with Zoho CRM

Lawful basis as Not Applicable.

By default, all the records in the Leads, Contacts, and Vendors modules will have the Data Processing Basis set to Not Applicable when you enable GDPR from Setup > Users andControl > Compliance Settings. Once this is enabled, each record will have a Data Privacy section with the data processing basis details. You can change this based on your discretion and business cases.

Data Privacy section for records

Once GDPR is switched on in your Zoho CRM account, each record will have a Data Privacy section where the data processing basis details are available. If Consent is the lawful basis, the options to send a consent form and update consent details manually will also be available. A new field called Source in the record's details page will also be available, which will store the data sources such as Web forms, APIs, Integrations, etc. 

Who can access Data Privacy section for records.

Any user who has the permission to view the record will be able to view and edit the Data Processing Basis section. If you use portals and the data processing basis is Consent, people who have access to the portal, will be able to see the Data Privacy section. They can update their consent details.

When Consent is the lawful basis

If your business is running on Zoho CRM, you can process data based on any of the lawful bases mentioned earlier. Consent requires a deliberate action to opt in on the part of the subject matter. It is therefore mandatory for the controller to keep a proper consent management system in place to obtain consent from the data subjects.

Zoho CRM's consent management system helps you obtain consent from your prospects and customers.

Consent management in Zoho CRM has the following options.

Change lawful basis for records.

You can change the lawful data processing basis in the following ways:

  • Select an individual record and update the details under Data Privacy.

  • Create a list view to filter out the records and click the More icon > Update Data Processing Basis.
  • Create a workflow rule to automate the process of updating lawful basis for records that met certain criteria.

Use the Data Processing Basis field to define the criteria.

View Details and History

You can view the details of the Data Processig Basis chosen for a particular data subject. Further, any changes that takes place in this section will be logged under history, chronologically.
For example, to send marketing related emails to your customers, you need their consent. Hence, you send a consent form via email and when it's submitted, the consent details are automatically updated in your CRM account and can be viewed in the Details section. History displays the list of actions carried out in a record pertaining to data processing basis, right from creation of a record.

To view details and history

  1. Click open the data subjects record in your CRM account.
    The record could be in the Leads, Contacts, Vendors or any other custom module for which GDPR Compliance is enabled.
  2. Click Data Privacy.
  3. Under the Data Processing Basis section, switch between Details and History.

View Dashboard

Go to Setup > Users and Control > Compliance Settings > Overview, to view the dashboard that gives you the following details:

  • Number of records that have the lawful basis marked as Not Applicable.
    You can also view these records and update their lawful basis.
  • Number of records that have been updated with one of the lawful bases.
    The records are categorized as Consent or Other Basis. You can also view these records and update their lawful basis.
  • Chart that displays the consent status - PendingWaitingObtained.
    Click on the status to view the records.

    • Related Articles

    • What are the lawful bases the data controller can use to process customer data?

      The data controller can choose from six data processing bases. These are: 1. Contract- This applies when you need to process the customer's personal data to fulfill your contractual obligations, or to take some action based on the customer's request ...
    • How often can I review the lawful basis of processing data?

      As the data controller, you should periodically review the lawful basis under which you processed customers' data. This is because the lawful basis under which you initially processed personal data and the purpose of data collection can change over ...
    • Data Privacy

      A record's details are available in two sections - Info and Timeline. When you switch on GDPR Compliance in your Zoho CRM account, you will be able to view another section, namely Data Privacy. This section has the following details: Data Source ...
    • Where can I update the data processing basis?

      You can update the data processing basis for customers in the record details page. To do this, click on the Data Privacy tab, select or edit the data processing basis. The third way is through the consent overview dashboard. Go to Setup > Compliance ...
    • Data Subject Rights

      The GDPR explicitly states certain rights for the data subjects in Articles 12 to 23. We need to understand and fullfil them when individuals seek to exercise those rights. Right of access: The subject's right to obtain from the controller, the ...