The processing of EU citizens’ and residents’ personal data is only lawful if at least one of the six legal bases set out by the GDPR applies. This means that companies are not allowed to process any personal data of EU individuals if there are no legal grounds for it.
This article aims to simplify GDPR compliance by listing the six legal bases for data processing and explaining what each of them means.
What are the six legal bases for processing personal data?
According to the GDPR, the following represent legal bases for processing personal data:
- Vital interests
- Public interest
- Legal obligation
- Legitimate interest
If the person to whom the personal data belongs to has agreed to the processing for one or more clearly defined purposes, the data processing is lawful. However, several requirements must be met for the consent to be valid.
Example: When a person checks a box on a website agreeing to receive marketing emails or newsletters from a business, they consent to the data processing. However, the consent is only valid if the person actively checks the box and not if it is pre-checked. Furthermore, the company can only process the individual’s data for the specific purposes they agreed to, for example, receiving newsletters and marketing emails. Using the data for anything else would not be lawful.
2. Vital interests
According to the GDPR, protecting the vital interests of a person also constitutes a lawful basis for data processing. This applies when someone’s life is in danger, and the processing is necessary in order to save it.
Example: Let’s say a person has a car accident and is rushed to the hospital in critical condition. In this case, the doctors can legally access the person’s medical record to ensure they provide appropriate treatment and save the person’s life.
When an organization enters into a contract with the data subject and needs to process their personal data in order to fulfil that contract, the data processing is lawful.
Example: If a person makes an online purchase and wants the goods delivered to their home address, the online retailer is allowed to process the customer’s personal data in order to meet the delivery request.
4. Public interest
If the data processing is necessary for carrying out a task in the public interest or in the exercise of official authority, the data processing is legal.
Example: If you witness a crime, law enforcement authorities can request personal data from you if that data is necessary for their investigation.
5. Legal obligations
If a company has to process personal data in order to meet its legal obligations, the data processing is lawful.
Example: A financial institution that is required to perform a KYC verification for AML compliance purposes is allowed to process its clients’ personal data in order to meet legal obligations.
6. Legitimate interest
This lawful basis is the most flexible one. It applies when an organization has a legitimate interest in processing the data, and the person’s interests, rights, and freedoms do not override this legitimate interest. However, keep in mind that the data processing must be necessary, meaning there is no other way to further your legitimate interest.
Example: Let’s say an individual uploaded their CV on a job site. A recruitment agency comes across the CV and sends it to one of its clients, thinking the individual will be a good match for the position the client is hiring for.
In this situation, the data processing is lawful since the client has published their CV on a job site in order to get a job. Naturally, the individual expects recruiters to access the CV and pass it on to their clients.
As a result, the legitimate interest of the recruitment agency (finding the right candidate for their client) is not overridden by any rights or freedoms of the individual. This means that the data processing is lawful.
How can businesses ensure that they process personal data lawfully?
Besides leading to fines and penalties, failing to process personal data lawfully can seriously damage a brand’s reputation. Therefore, we have gathered some advice to help businesses comply with this GDPR requirement.
Always choose a legal basis before processing personal data
Businesses need to choose an appropriate legal basis before processing personal data. If a company starts processing personal data without having a legal basis, the data processing is not lawful.
Make sure that you choose the most appropriate legal basis
Different legal bases apply depending on the type of personal data collected, the purpose of the processing, and the company’s relationship with the data subject. Therefore, companies must ensure that they choose the most appropriate legal basis for the processing. Don’t forget to document the entire process, so you can justify your choice in case of an inspection.
Be aware of the additional requirements regarding consent and legitimate interest
Consent: If you choose consent as your legal basis, you need to meet additional requirements, including making it easy for the individual to withdraw it.
Legitimate interest: When legitimate interest applies, companies must conduct a Legitimate Interest Assessment before processing the data. The Legitimate Interest Assessment should:
- identify the legitimate interest of the company
- establish if the processing is necessary to fulfill the legitimate interest
- balance the company’s legitimate interest against the data subject’s interests, rights, and freedoms
Ensure that you can demonstrate your GDPR compliance
In the event of an inspection, companies must be able to demonstrate their GDPR compliance. The best way to do this is by conducting Data Protection Impact Assessments (DPIA), especially in situations where a project poses a high risk to the rights and freedoms of the data subject.
The Data Protection Impact Assessment should include:
- a description of the different data processing activities and their purposes
- the legitimate interest of the business (if applicable)
- an assessment of the necessity and proportionality of the processing in order to fulfil the purposes
- an assessment of the risk to the rights and freedoms of the data subjects
- the measures that should be taken in order to mitigate such risks and ensure the protection of personal data
Remember that you must carry out the DPIA prior to the data processing.
Be mindful when processing special categories of personal data
Special categories of personal data concern an individual’s:
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
- biometric data
- sex life or sexual orientation
Companies are prohibited from processing special categories of personal data unless at least one of the exceptions set out in Art. 9 (2) of the EU’s GDPR applies.