There are a total of six legal basis in Article 6 (1) GDPR. Each one of these bases enables you to fulfill the criteria’s for lawful usage of personal data. You should pick the base that best fits your processing, see below about “necessary”.
a) Consent for one or more specific purposes
- Consent from the data subject is the first legal basis. Note that this ground is subsidiary to the other grounds, you should therefore always consider the other grounds first.
- GDPR Article 7 sets out the conditions for valid consent. The request for consent needs to be clear. The data controller must be able to show that the data subjects have consented to the processing. If the data subject’s consent also concerns other matters, the request for consent must be clear and unambiguous and separated from the other matters. Registered persons must have the right to withdraw their consent at any time. For example, the basis consent is the reason why cookies are ok according to GDPR.
b) Necessary to fulfil a contract, or to prepare a contract
The processing is necessary to fulfil a contract between the data subject and the data controller or to take steps to prepare entering into a contract. This is typically the most suitable lawful basis to use. In order to perform a service to a customer certain necessary use of personal data is required.
For example, if you are a bank and conclude a credit contract with an individual you can rely on the basis of a contract for the service. What you cannot do is transfer the data to a third-party, without legitimate interest or consent for this purpose. This is because the contract is with the bank and not with the third party (controller).
c) Necessary to fulfil an obligation by law
Processing of personal data can be valid if there are any laws or rules that obligate the data controller a task that is dependent on the processing of personal data. Many organisations are required to share employee data with the authorities for tax and other legal obligations.
Looking for a practical guide to the DPO role?
The book Data Protection Officer provides a practical guide to the DPO role, encompassing the key activities you’ll need to manage to succeed in the role. Coverage includes data protection fundamentals and processes, understanding risk and relevant standards, frameworks and tools, with DPO tips also embedded throughout the book and case studies included to support practice-based learning.
Available as an e-book and paperback. Get a preview or free sample: Data Protection Officer (BCS Guides to It Roles)
d) Necessary to protect vital interests of the registered or of another individual
- This legal basis is the so-called “medical exemption”. This basis applies when the data subject cannot give consent and the processing of their personal information is necessary for their health or life.
e) Necessary to perform a task of general interest or as part of the exercise of authority by a person responsible for personal data
- This legal basis applies to any organization that exercises a task in the public interest. The important thing is not the nature of the organization but the nature of the relevant function. The task or authority must be set out in domestic law. It does not have to be an explicit statutory provision, as long as the application of the law is clear and foreseeable.
f) Necessary for the purpose of the legitimate interests pursued by the controller or the third party
The legal basis of legitimate interest is also called the “weighing of interests”, or “interest assessment”. This means that the data controller can process personal data without the data subject’s consent, if the data controller’s interests outweigh the data subject’s interests (balancing test) and if the processing is necessary for the purpose in question.
This basis is the most flexible, but may not always be the most appropriate. It can be appropriate if you use the data in ways that the individual can reasonably expect and if the processing has very little effect on privacy and personal life or there is a compelling interest behind the processing. The legitimate interest can be one of your own or of a third party. It can be either a commercial interest or an individual interest amongst others.
An example: A bank may want to process personal data to notice fraudulent behavior on the basis of legitimate interests. The questions the bank needs to answer are: Is it a legitimate purpose? It is with no doubt the company’s legitimate purpose. But is it in the company’s customers and the public’s legitimate purpose? Yes, you could say that it is in their interest since they in general have an interest in detecting fraud. Thereafter, you need to consider the necessity and wheighing of interests (balance test).
For more in-depth information about how and when to conduct a Legitimate Interest Assessment read our article Legitimate Interest Assessment – all you need to know.
Criteria for lawful usage – “necessary”
You need to consider which basis best reflects the purpose of your processing and your relationship with the individual. This is because most legal bases require that the processing is “necessary” for a specific purpose. A consequence of this is that if you can achieve the purpose without the processing, the processing won’t be lawful. Furthermore, to use extra sensitive data, you have to identify both a legal basis in article 6 and a separate condition in article 9.
The word “necessary” does not have the same meaning in the GDPR context as in everyday language. For example, the use of personal data to fulfil a contract may not always be necessary, but if the processing leads to necessary efficiency gains it can be seen as necessary. But if the task can be carried out cheaper or easier without personal data or with anonymous data it is typically not seen as necessary. Using technical aids to process data is necessary if it leads to efficiency gains.
- For every processing with a different purpose, you must have a different legal basis. You cannot use one general base for every purpose.
- Identify the legal basis before you start the processing.
- Each individual processing needs to have a legal base that is linked to the purpose behind the processing.
Always meet the criterion for lawful usage and comply with the GDPR. This means that you have to have a legal basis but also comply with the other provisions of GDPR. Even if you have a legal basis, the processing always needs to be in accordance with the integrity-friendly principles of article 5. Furthermore, certain extra sensitive data have further requirements set out in Article 9.