There are six legal bases for processing as set out in Article 6 of the General Data Protection Regulation (GDPR). At least one of these must apply whenever you process personal data.
While the Information Commissioner's Office (ICO) has made it clear you must have a valid lawful basis to process personal data, many organisations assume it's dependent on obtaining consent. Consent is just one of a number of sex legitimate reasons for processing personal data. Which basis you deem to be the most appropriate will depend on your purpose and relationship with the individual.
Key takeaways
- The first three legal bases for data processing under the GDPR are consent, performance of a contract and legal reasons.
- The last three are protecting the data subject's vital interests, performing a task in the public interest and legitimate interest.
- At least one of the six legal bases must apply whenever you process people’s personal information.
- If you have doubts about the legal justification for processing data, ask your data protection officer (DPO).
Key conditions to ensure data processing is legal
1. Consent
The data subject has provided clear consent to the processing activity. GDPR states it must be freely-given, specific, informed and unambiguous – provided by a statement or a clear, affirmative action. Data subjects must be able to refuse or withdraw consent without penalty.
2. Performance of a contract
GDPR Recital 40 says "the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract" is a legitimate basis of lawful processing.
3. Legal obligations
Personal data processing is necessary for legal reasons, for example, tax reporting or employee record maintenance.
Recital 45 states that "Where processing is carried out in accordance with a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, the processing should have a basis in Union or Member State law".
4. Protecting the data subject's vital interests
This only applies if it's necessary to process personal data to protect someone's life, and is. Clarified in Recital 46 of the GDPR: "Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis". For example, this applies if someone's medical history is made available to treat them in A&E after a life-threatening road accident.
5. Performing a task in the public interest
As per Article 6, data can be processed "for the performance of a task carried out in the public interest or in the exercise of official authority".
You don't need a specific statutory power to process personal data, but you must have a clear and documented basis in law.
The Data Protection Act (DPA ) 2018 clarifies that this includes processing necessary for:
- The administration of justice
- Exercising a function
- of the House of Parliament
- conferred on a person by an enactment or rule of law
- of the Crown, a Minister of the Crown or a government department
- An activity that supports or promotes democratic engagement.
Data subjects' rights to erasure and data portability do not apply if you are processing on this basis. However, they do have a right to object.
6. Legitimate interest
Legitimate interest is the most flexible of the six lawful bases for data processing. It can potentially be applied to any type of processing carried out for any reasonable purpose.
Article 6(1f) states that processing is lawful if 'processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject'.
This leaves a lot of room for interpretation and the definition is unhelpfully vague. The burden is on you to determine if your interests in processing personal data really are legitimate.
These interests must be balanced against those of the data subject(s). The GDPR mentions processing client or employee data, marketing, fraud prevention, intra-group transfers or IT security as potential legitimate interests, but this list is not exhaustive.
The important thing to consider is that ‘legitimate interests’ is most likely to be appropriate if you are using personal data in ways that the data subject would deem reasonable and where the processing has a minimal impact on their privacy.
Remember that if you use legitimate interest as your basis for processing personal information as part of your marketing activities, the data subjects’ right to object is absolute: you must stop processing if anyone objects.
Where to get advice on data processing legality
If you have doubts regarding the legal justification for processing data, it is best to ask your data protection officer (DPO).This could be a stand-alone role or someone with expertise in this area. If you don't have one, refer to Article 37(1) of the GDPR.
It goes without saying that all staff need GDPR awareness training, and those handling a lot of information (particularly sensitive data) will need a more in-depth understanding.
To reassure those who are providing you with data, create privacy notice and data processing statement web pages. Additionally make website cookie requests simple and clear.
Data processing under the GDPR: FAQs
Why does a legal basis for data processing under GDPR matter?
It’s a requirement to process personal data lawfully, ensuring compliance with related principles and laws and that people’s rights are respected.
What is a data subject in relation to the GDPR?
The identified or identifiable living individual (“natural person”) whose personal data is collected/processed/stored. An example of a data subject is a customer or an employee.
What is a data controller?
Any person/company/body/public authority that determines the why and how of processing personal data. Examples include an employer and a hospital.
Want to learn more about GDPR?
Our Essentials Library contains e-learning content designed to help organisations meet fundamental compliance requirements. If you are looking for focused training, our Data Protection and GDPR Training Package offers a complete solution for your compliance programme. Courses in the libraries include:
- General Data Protection Regulation (GDPR) Training Course
- Data Protection Training Course
- Information Security Training Course
- Cybersecurity Training Course
We've created a comprehensive GDPR compliance roadmap to help you navigate the compliance landscape. If you would like to access leading insights and compliance tips, you can browse our free resources by topic to find guides, modules, compliance bites and more.
Explore our collectionWritten by: Lynne Callister
Lynne is an instructional designer with over 20 years' storyboarding experience. Her current areas of interest are mobile learning and exploring how cognitive theories of learning can create better learner experiences.
