GDPR lawful basis for processing personal data

The General Data Protection Regulation (GDPR) is an EU law design to protect and enhance the data privacy of its residents.  GDPR is applicable for all businesses and organizations, regardless of their location, who process personal data on EU residents. As legislation, GPDR identifies specific lawful basis under which processing of personal data can occur.

Read our introduction to GDPR to learn more about the regulation.

Lawful Basis for the Processing of Personal Data under GDPR

Article 6 of the GDPR sets out six lawful bases for the processing of personal data. No particular basis is’ better’ or more important than the others.

Organizations must select the most appropriate basis to use depending on the purpose of processing the information.

GDPR permits the lawful processing of personal data on at least one of the following basis:

When is processing ‘necessary’?

While not essential, processing must be more than just standard practice. The processing of personal data cannot be defined as ‘necessary’ simply because it is part of your organization’s methods, or your business operates in a particular manner.

Instead, processing needs to be objectively ‘necessary’ and a targeted way of achieving a specific purpose.  If your organization can achieve the purpose by processing less or no data, the lawful basis will not apply.

GDPR Lawful Basis: Understanding each of the bases

For the majority of the bases, the purposes for processing personal data must be “necessary” to be lawful. If the same purpose can be achieved without processing information, yet your organization continues to process data, you are likely to be in breach of the law.

Presented below are each of the GDPR lawful basis in more detail, providing additional context and examples.

1. Consent

In data protection law, consent is a core principle, and one of the GDPR’s six legal basis for the processing of personal data.

Conditions for consent

Under GDPR, consent is only valid, when:

• • The consent is given freely
  • It is obvious and requires a clear affirmative action to opt-in
  • The consent request is specific and informed
  • In case of explicit consent, it is expressly confirmed in words, rather than by any other affirmative action

You can read more regarding the validity of consent at the UK’s Data Protection Authority’s website.

When is consent required?

Consent may be needed in several circumstances, such as:

• • If there is no other lawful basis applicable to data processing
  • You want to share or use personal information in potentially intrusive ways or unexpectedly
  • You are processing special category data (unless specific conditions apply, explicit consent may be needed to legitimize the processing)
  • If your organization makes particular types of marketing calls and messages or uses website cookies and online tracking

How should organizations seek consent?

Under GDPR, consent validity has stringent conditions.  Consequently, organizations cannot simply rely upon passive acceptance of consent, i.e. inactivity, silence, or pre-ticked boxes.

To seek consent, organizations have to:

• • Obtain consent before processing begins, e.g. for websites, this is done typically through privacy notices
  • Ensure requests for consent are simple to understand and clear
  • Inform individuals clearly what they are consenting to, and any processing performed under a different lawful basis to that which is being consented to
  • Be in a position to verify consent
  • provide transparent and detailed opt-in mechanisms
  • Document any records of consent
  • Permit the withdrawal of consent at any time through simple methods
  • Not make the provision of consent a condition of a contract

In the context of online services, if an organization is processing the data of children, they have to make sure the child’s age is verified, and consent provided by a legal guardian.

Read more about regarding children’s consent for online services and processing children’s personal data.

Consent for scientific research purposes is covered by specific provisions.

Requirement to prove consent

Under the GDPR organizations must provide evidence to demonstrate that consent has been lawfully obtained. If the only lawful basis for personal information processing is consent, organizations should consider:

• • How consent is sought, obtained, and recorded
  • Ensuring any consent provided is documented and meets GDPR conditions and standards
  • Making sure the agreement with business partners and 3^rd party provides meet GPDR compliance
  • Reviewing their audit trail, particularly instances where the consent has been obtained your behalf by a third party

Consent and individual rights

If your organization depends on consent as the lawful basis for processing personal data, then individuals’ rights will be affected. Consenting individuals, as well as the right to be informed, will also have the:

• • Right to erasure (often referred to as ‘the right to be forgotten’)
  • Right to withdraw consent
  • Right to data portability

If the only legal basis for processing is consent, individuals will not have the right to object. Read more on GDPR data subject rights.

2. Contract

Under GDPR, organizations can stipulate contractual obligations as the lawful basis for processing data, under the following circumstances:

• You need to process an individual’s personal data with whom you have a contract in place, and the processing of personal information will ensure you can fulfil your obligations as part of that contract
• A contract with an individual is yet to be made, however, they have requested an initial action, which will necessitate the processing of personal information, i.e. request for a quote

Any processing an organization conducts must be necessary for complying with your contractual obligations. If there are other ways to meet such commitments, this lawful basis will not apply.

3. Legal obligation

Organizations depending on legal obligations as the lawful basis for processing personal data can do so to ensure compliance with a common law or statutory obligation. This lawful basis is not applicable to contractual obligations. The common law with which the organization is wishing to comply with should be clear that processing is necessary for compliance.

Organizations have to be able to identify the specific legal provision they are complying with, or provided evidence or guidance which states their legal obligation.

4. Vital interests

This GDPR lawful basis is applicable where processing personal data is necessary to protect an individual’s life.

This lawful basis applies to any life and is, in most cases, applicable only in cases of emergency medical treatment.

5. Public task

Organizations processing personal data to exercise official authority or to perform a specific task, function or power, in the public interest (that is set out in law), can rely on this GDPR lawful basis.

While most relevant to public authorities, this GDPR lawful basis can apply to any organization which fulfils the criteria mentioned above.

Any processing must be necessary. If any tasks, exercise, or powers can be performed in a less intrusive way, then this lawful basis does not apply.

6. Legitimate interests

This lawful basis is often viewed as the most accommodating of GDPR’s six legal bases for processing personal information.  Theoretically, legitimate interests could apply to any processing performed for any reasonable purpose.

While the definition provides room for interpretation, it is vague. As such, organizations need to determine and demonstrate that the personal information they are processing is being done so legitimately.

Legitimate interests could include your company’s interests, third party interests, and commercial interests. The GDPR highlights several potential legitimate interests, including processing client or employee information, marketing, fraud prevention, intra-group transfers or IT security. While these are not exhaustive, what is clear is that these interests must be weighed against the interests of the data subject(s).

Legitimate interests are likely to be appropriate when processing is performed in a manner that data subjects would deem reasonable, and where their privacy experiences minimal impact.

If an organization depends on legitimate interests, the right to data portability is not applicable.

Processing Personal Data: Determining the GDPR Lawful Basis

A GDPR data audit will provide businesses with insight into their processing activities and establish which GDPR lawful basis they are processing personal information.

An explanation for your legal basis needs to be provided when dealing with subject access requests and in your privacy notice. You will also need to demonstrate the applicability of a lawful to ensure compliance with the GDPR accountability principle.

Establishing GDPR lawful basis under which your organization processes personal data

The purpose of processing personal information will determine which legal basis will apply.  Consequently, organizations must consider why they need to perform processing, and conclude which lawful basis best fits that context.

It may be that more than one basis applies, in which case organizations should identify and document all applicable legal bases from the outset. To satisfy any regulatory authority, organizations can carry out a full legitimate interests assessment (LIA).

No single basis is more important than the others, and organizations must refrain from taking a one-size-fits-all approach. In some cases, the legal basis may vary the rights available to the data subject(s). See data subject rights under the GDPR.

When determining the lawful basis, organizations should:

• Ensure that processing is necessary for the purpose
• Make certain that the purpose cannot be achieved without processing personal information
• Demonstrate compliance by documenting the choice of a particular lawful basis
• Detail the purpose and the lawful basis for processing in their privacy notice
• Recognize and document the legal basis for special category data or criminal offence data

The GDPR’s lawful basis covering legal obligation, contractual obligations, vital interests, and public tasks, relate to a specified purpose. The appropriate GDPR lawful basis will be evident if organizations are processing for one of these purposes. If none of these applies to your circumstances, then the choice will be between using legitimate interests or consent.

For most commercial businesses, consent, legal obligations or legitimate interests will be the lawful basis on which they process personal data.

What if a new purpose for processing personal information is identified?

Organizations may find that the purpose for processing personal data changes over time, or a new unanticipated purpose has been identified.  In some cases, a new lawful basis may not be required, provided the new purpose and original purpose remain compatible.

To determine if the new purpose is compatible with the original purpose, organizations should consider:

• Any relationship between the two purposes
• The context in which the information was collected. Particular consideration should be given to the reasonable expectations of the individual whose data is being collected
• The type of personal data, i.e. whether it is criminal offence data or special category data
• Consequences for individuals of the new purpose and processing
• If any appropriate safeguards are in place, for example encryption or pseudonymisation

Since consent must always be specific and informed, the above is not applicable to lawful basis of consent.  Process data under a new purpose would undermine the original consent.

In such circumstances, organizations will need to re-obtain consent to cover the new purpose. If organizations successfully obtain consent for a new purpose, they do not need to show it is compatible.

Also read

• Introduction to GDPR: A guide for new businesses and start-ups
• Data Protection Impact Assessments (DPIA)
• GDPR Data Protection Principles
• Getting started with Data Privacy: What is it, and why is it important?
• Ensuring data privacy in the Cloud