Legal Basis

GDPR Fundamentals: Legal Basis For Processing Data
6 Legal Bases for Processing Personal Data

One of the seven major data processing principles of GDPR is to ensure that personal data is processed lawfully, fairly, and transparently.

To comply this principle, Chapter 6 of the GDPR requires any organization processing personal data to have a valid legal basis for that personal data processing activity. Think of these as scenarios in which it would be lawful to process data. GDPR provides six legal bases for processing:

1. Consent
2. Performance of a Contract
3. Legitimate Interest
4. Vital Interest
5. Legal Requirement
6. Public Interest

Consent

The data subject has given permission for the organization to process their personal data for one or more processing activities. Consent must be freely given, clear, and easy to withdraw, so organizations need to be careful when using consent as their legal basis. For example, the age of automatically-checked consent boxes is coming to an end through GDPR.

Performance of a Contract

Self-explanatory, right? The data processing activity is necessary to enter into or perform a contract with the data subject. If the processing activity does not relate to the terms of the contract, then that data processing activity needs to be covered by a different legal basis.

Legitimate Interest

This is a processing activity that a data subject would normally expect from an organization that it gives its personal data to do, like marketing activities and fraud prevention. If legitimate interest is used as a legal basis for processing, the organization must perform a balancing test: is this processing activity necessary for the organization to function? Does the processing activity outweigh any risks to a data subject’s rights and freedoms?  If the answer to either of those questions is “no,” then the organization cannot use legitimate interest as its legal basis for processing.

Vital Interest

A rare processing activity that could be required to save someone’s life. This is most commonly seen in emergency medical care situations.

Legal Requirement

The processing activity is necessary for a legal obligation, such as an information security, employment or consumer transaction law.

Public Interest

A processing activity that would occur by a government entity or an organization acting on behalf of a government entity.

Challenges for Choosing a Legal Basis

Choosing the appropriate legal basis for processing is extremely important for several reasons, including:

• There must be only one legal basis for processing at a time, and that legal basis must be established before the processing begins. Under GDPR, organizations cannot establish the legal basis after processing personal data or alternate between legal bases.
• Whichever legal basis is chosen must be demonstrable at all times. An organization must be able to show internally, to data subjects, and to regulatory entities what legal basis it uses for each data subject. For example, organizations must be able to demonstrate when and how a data subject provided consent or executed a contract.
• The legal basis for processing has a significant impact on the way that an organization responds to data subject rights requests because there are conditions, exceptions, and limitations on requests depending on the legal basis for processing.
• If an organization uses multiple bases to process different data processing activities, the organization should be able to distinguish between which legal bases is being used for which data set and respond correctly to data subject rights requests.
• Special categories of data (such as race, ethnic origin, religion, trade union membership, biometrics, and health data) have unique legal bases for processing that includes preventive or occupational medicine, public health, collective bargaining agreements, and the legitimate activities of non-profit organizations.

It’s important to note that one legal basis for processing isn’t universally superior to another legal basis for processing. The most effective legal basis for processing depends on the purpose for processing, the type of personal data being processed, and the relationship with the data subject. Choosing which legal basis is appropriate for processing activities is incredibly important; if the wrong legal basis is chosen, it could result in unlawful processing, noncompliant response to data subject rights, and inadequate organizational and technical data processing controls.