Looking for an overview of the lawful basis for processing data under GDPR?
How does GDPR define the lawful basis for processing personal data?
What is the lawful basis for processing data without infringing GDPR?
In this article, we go over the 6 lawful basis for processing personal data as defined under the General Data Protection Regulation.
Are you ready?
Let’s get started!
Table of Contents
Lawful basis for processing under GDPR
The General Data Protection Regulation or GDPR defines what is considered to be a lawful data processing activity.
Lawfulness of processing
Article 6 GDPR lays the foundation of the lawfulness of processing:
“Processing shall be lawful only if and to the extent that at least one of the following applies:
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
6 lawful basis
Essentially, the lawfulness of processing under Article 6 boils down to six grounds for processing data under GDPR:
- The data subject has given consent
- For the performance of a contract
- Compliance with a legal obligation
- Vital interest of the data subject
- Task carried out in the public interest
- Legitimate interest of the controller
If a company intends to process personal data lawfully, then the data processing must fit into one or more of the six scenarios.
The necessity of data processing
Aside from the lawful basis for processing personal data based on a data subject’s consent, the other five lawful basis requires a company to demonstrate the necessity to process personal data.
Necessity means that the processing of personal data is important and required to achieve the intended purpose.
On the one hand, necessity is not absolute and, on the other hand, it’s more than just useful information needed by the company.
If a company can achieve its intended purpose another way or without having to collect as much personal data, then the company should favour that other way of handling the matter.
Let’s look at each of the lawful basis for processing personal data.
Lawful Basis 1: Consent
The first GDPR lawful basis is related to the data subject’s consent.
GDPR states that data processing is lawful when “the data subject has given consent to the processing of his or her personal data for one or more specific purposes”.
The first lawful basis of consent is very important for organizations.
Companies may want to use and process personal data to better tailor their services to their clients or find new and creative offerings.
Being able to achieve business goals while at the same time complying with GDPR is very important.
A company can do that by getting the consent of the individual.
In other words, if a company intends to process personal data, it must provide sufficient information to the data subject about its intended purpose and obtain explicit consent.
Article 4 GDPR defines consent as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
To get valid consent from a person, a company must provide sufficient, clear and easy-to-understand information about its intended data processing activities so the data subject can understand.
The data subject must make a statement or take affirmative action to express his or her clear consent.
For example, if you intend to process personal data to deliver targetted advertising to the person, you must get explicit consent from the individual.
Lawful Basis 2: Contract
The second lawful basis for processing data is when it’s necessary for the performance of a contract with the data subject or to get into a contract with the data subject.
GDPR states that data processing is lawful when “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”.
This second ground of lawful basis for processing data is crucial for organizations.
A business must have the ability to enter into contracts with individuals without having to fear violation of data protection laws.
As a result, GDPR makes it clear that companies can process personal data, based on their necessity to enter into a contract with a person.
Pre-contractual data processing
At the pre-contractual stage, a company may need to get a person’s name, address, credit card information, shipping address and other personal information to be able to enter into a contract with them.
Processing personal information at the pre-contractual stage for a company to enter into a contract with a data subject is lawful.
For example, if you intend to purchase something online and you must give your name, address and credit card information to enter into a contract, that’s going to be a justifiable ground under GDPR.
Performance of contractual obligations
Once the contract is signed with the data subject, a company may need to process personal information to execute its obligations under the contract benefiting the data subject.
In that case, a company can invoke the necessity of processing personal information to execute or perform its obligations under a contract with the data subject.
The data processing operations must be linked to the contract signed with the data subject for it to be lawful.
If a company obtains personal data to enter into a contract with the data subject and uses the data for a purpose beyond the scope of the contract, then that ‘new’ purpose will require its lawful basis grounds.
Lawful Basis 3: Legal obligation compliance
The third lawful basis of GDPR relates to a company’s need to comply with a legal obligation.
GDPR states that data processing is lawful when “processing is necessary for compliance with a legal obligation to which the controller is subject”.
This third lawful basis for processing personal data is quite relevant for most businesses.
Many businesses are subject to various laws.
If an organization has the obligation to process certain types of personal data or store that data for a certain number of years, that can be a valid reason to process the personal data.
Compliance with EU laws
If a company processes personal data relating to data subjects in Europe, they may need to comply with GDPR.
Complying with GDPR is a legal obligation itself.
However, it may not be the only legal framework applicable to a data controller or a company.
If you are a financial institution, you’ll be subject to many laws related to the handling of financial information, confidentiality, conflict of interest and so on.
If you are an insurance company, you must abide by insurance laws and related legal framework governing how insurance companies must operate.
Complying with legal obligations applies to either European Union laws or the laws of each European member country.
Compliance with foreign laws
If the EU laws require that a company process personal, then the processing can be considered lawful under this third lawful basis of data processing.
If the laws of a country outside of the EU require that personal data be processed of individuals in the EU, the foreign company cannot invoke the necessity to process personal data to comply with its foreign legal obligations.
To comply with GDPR, the foreign company must find another lawful ground to justify the processing of personal data.
Lawful Basis 4: Vital interest
The fourth lawful basis to process data is when it’s vital to the interest of the data subject or another person.
GDPR states that data processing is lawful when “processing is necessary in order to protect the vital interests of the data subject or of another natural person”.
This is when there may be a case of an emergency and a person’s life depends on it.
In such a scenario, looking through the person’s wallet and processing his or her personal information will be justified when it’s really and absolutely necessary.
This lawful basis for processing data may not be relevant for most businesses outside of the healthcare industry.
Lawful Basis 5: Public interest
The fifth lawful basis for processing relates to data processing necessary in the public interest.
GDPR states that data processing is lawful when “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”.
Again, this lawful basis may not be highly relevant to most businesses as they are not public bodies or may not exercise official authority.
This condition allows governments, public authorities, government offices, agencies or other public authorities to process personal data necessary for the performance of their tasks in the public interest.
The UK Information Commissioner’s Office notes that tasks in the public interest can include:
- The administration of justice
- Parliamentary functions
- Statutory functions
- Governmental functions
- Activities that support or promote democratic engagement
Lawful Basis 6: Legitimate interests
The sixth GDPR lawful basis is legitimate interests.
GDPR states that data processing is lawful when “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child”.
This can be a useful basis for businesses to rely on when processing personal data.
Companies unable to invoke any of the other ground will probably invoke legitimate interest as a grounds for the processing of personal data.
To succeed with this lawful basis, companies must demonstrate that:
- They must process personal data
- the processing is for a clear and legitimate purpose
- they comply with GDPR and its data processing principles
- The rights and freedoms of the data subject do not override their legitimate interest
Justifying the processing of personal data under the legitimate interest will require that an organization properly consider the type of personal data processed, the purpose and consider the impact on data subjects.
This process must be well thought out and well documented to resist the scrutiny of the supervisory authorities or judicial challenge.
Lawful Basis: Takeaways
GDPR defines 6 lawful basis where companies can process personal data without infringing GDPR.
A company can process personal data provided that it can demonstrate its processing activities falls within any of the following lawful basis:
- Consent
- Contract
- Compliance with a legal obligation
- Vital interests
- Public interests
- Legitimate interests
Practically speaking, most businesses may not be able to rely on the vital interests or the grounds of the public interest as they have a very narrow and specific scope.
Often, companies may justify their data processing operations based on the consent of the data subject, their need to enter into a contract or perform a contract, comply with an EU law or demonstrate their legitimate interest.
In this article, we’ve covered the 6 lawful basis for processing personal data under GDPR to give you a better understanding of the GDPR requirements.
Ensuring that all your data processing activities can be justified under one of the lawful basis conditions outlined in GDPR is essential for compliance.
Frequently asked questions on lawful basis
What are the 6 lawful basis for processing data?
The 6 lawful grounds for processing data are:
1- Consent
2- Contract
3- Legal obligation compliance
4- Vital interests
5- Public interest
6- Legitimate interests
What is considered personal data under GDPR?
Personal data means any information relating to an identified or identifiable person.
An identifiable natural person is one who can be identified either directly or indirectly by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Is consent the only legal basis to process personal data?
Consent is one of six lawful basis for processing personal data. For personal data processing to be authorized by GDPR, the processing operations must comply with one or more of the six grounds of lawful processing.
Article 6 of GDPR defines the six grounds for the lawfulness of processing and consent is defined as follows:
“Processing shall be lawful only if and to the extent that at least one of the following applies: (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes”.
