We use cookies to ensure that we give you the best experience on our website. Cookies enable us to provide you core functionalities such as security, network management and accessibility. They improve usability and performance through various features such as language recognition, search results and thereby improve what we offer to you.

For more information, please visit our Privacy Policy

LEGAL BASES FOR PROCESSING UNDER THE GDPR

Legal Bases for Processing Under the GDPR
06 Mar

Legal Bases for Processing Under the GDPR

88 | CIPP-E Preparation | Consent Performance of a Contract Vital Interest Legal Obligation gdpr Legitimate Interest Public Interest CIPP

Introduction and the Role of Legal Bases

Under the General Data Protection Regulation (GDPR), organizations must have a valid legal basis for processing personal data. This requirement ensures that personal data is handled responsibly, protecting individuals' rights while enabling lawful processing activities. Choosing the correct legal basis is essential, as an incorrect choice can lead to non-compliance, fines, and reputational damage.

The GDPR provides six legal bases for processing, each with distinct applications. Organizations must assess their data processing activities and determine the most appropriate basis. Selecting a legal basis should not be done arbitrarily but rather through careful evaluation. It is also crucial to document the rationale behind the choice, as authorities may require justification. Failure to comply with the legal basis requirement can result in significant penalties and corrective actions from regulators.

The Six Legal Bases for Processing Personal Data

Organizations processing personal data under the GDPR must rely on one of six legal bases. Each basis applies to specific situations, and choosing the wrong one can create compliance risks. Below are the six legal bases and their key characteristics:

  • Consent – The individual has given clear, informed, and unambiguous consent to process their data.
  • Contractual Necessity – Processing is required to fulfill a contract with the individual or take steps before entering into one.
  • Legal Obligation – Processing is necessary to comply with a legal requirement imposed on the data controller.
  • Vital Interests – Data processing is required to protect the life or physical safety of an individual.
  • Public Task – Processing is necessary for tasks carried out in the public interest or under official authority.
  • Legitimate Interests – Processing is necessary for a legitimate purpose, provided it does not override individuals' rights and freedoms.

Understanding the nuances of each legal basis is crucial for compliance. Organizations must not default to one basis without careful consideration, as each comes with specific conditions and limitations.

Consent

Consent is one of the most recognized legal bases but should be used only when no other basis applies. The GDPR sets strict requirements for valid consent: it must be freely given, specific, informed, and unambiguous. Individuals must actively agree to data processing, and pre-checked boxes or implied consent are not permitted.

Because consent requires individuals to have full control over their data, it can be withdrawn at any time. This makes it less stable for long-term processing needs. For this reason, regulators emphasize that consent should be considered a last resort when other legal bases do not apply. Organizations should explore whether contractual necessity, legal obligation, or legitimate interests might be more appropriate before relying on consent. More details on this concept can be found here.

Contractual Necessity

Processing based on contractual necessity occurs when data processing is essential to perform a contract with the individual. This applies when processing directly relates to fulfilling contractual obligations or pre-contractual steps requested by the individual. Organizations must demonstrate that data processing is genuinely necessary for contract execution.

For example, an e-commerce business may process customer payment and shipping details to complete an online order. Similarly, an employer processing payroll data for employees falls under this legal basis. However, organizations cannot rely on contractual necessity for processing activities that go beyond what is required for fulfilling the contract. If processing is optional or unrelated, another legal basis must be identified.

Legal Obligation

When processing is required by law, organizations must rely on the legal obligation basis. This legal basis ensures compliance with statutory or regulatory requirements that mandate data processing. Unlike consent or contractual necessity, legal obligation applies even if the data subject objects to the processing.

Examples of legal obligations include tax reporting, anti-money laundering regulations, and workplace health and safety laws. An organization collecting employee salary details for tax compliance is a typical instance of this basis in action. Controllers using this basis must identify the specific legal requirement that mandates processing and ensure compliance with applicable regulations.

Vital Interests

The vital interests basis applies in life-or-death situations, where processing is necessary to protect individuals’ safety. This legal basis is rarely used, as it is limited to extreme circumstances where no other basis applies. Typically, it is used in medical emergencies or disaster response scenarios.

For instance, hospitals processing personal data to provide urgent medical care without consent may rely on vital interests. Emergency services accessing personal records to assist unconscious patients also fall under this category. Because it is strictly limited to essential cases, organizations should not use this basis unless they can justify its necessity under extreme conditions.

Public Task

Processing under the public task basis is reserved for activities carried out in the public interest or under official authority. This legal basis is most commonly used by public institutions, government bodies, and organizations performing public functions.

Examples include public health agencies processing personal data for disease prevention, law enforcement agencies using data for criminal investigations, and electoral commissions handling voter registration. Private organizations may also rely on this basis when carrying out tasks mandated by law. However, public task processing must be clearly linked to a legal obligation or policy objective.

Legitimate Interests

Legitimate interests provide organizations with a flexible but conditional basis for processing personal data. This legal basis allows processing when it is necessary for a legitimate purpose, provided it does not override individuals’ fundamental rights and freedoms. Organizations must conduct a balancing test to assess whether their interests outweigh the impact on data subjects.

Typical use cases include fraud prevention, IT security measures, and business analytics. For example, an online service provider may monitor login activity to prevent unauthorized access. Similarly, a company may process limited customer data for direct marketing, provided individuals have an option to opt-out. Because legitimate interests require careful justification, organizations must document their decision-making process and assess potential risks.

Choosing the Right Legal Basis

Selecting the appropriate legal basis is a fundamental step in GDPR compliance. Organizations should avoid defaulting to consent when a more suitable basis exists. The choice of legal basis must align with the purpose of processing and meet the specific requirements outlined in the GDPR.

To determine the correct legal basis, organizations should:

  • Assess the necessity of processing in relation to the intended purpose.
  • Identify whether a contractual or legal obligation justifies processing.
  • Consider whether legitimate interests can be used, ensuring a fair balance with individuals’ rights.
  • Avoid relying on consent unless no other legal basis is applicable.

Proper documentation of the legal basis decision is crucial. Regulators may require organizations to demonstrate compliance, and failure to justify processing activities can lead to enforcement actions.

Conclusion

The GDPR’s requirement for a valid legal basis ensures that personal data is processed lawfully and transparently. With six distinct legal bases, organizations must carefully evaluate their processing activities and choose the most appropriate one. Relying on consent when other bases apply can create unnecessary compliance burdens, making it essential to assess all options before deciding.

A clear understanding of legal bases helps organizations mitigate regulatory risks and maintain trust with data subjects. As data processing practices evolve, businesses must continuously review their legal bases to ensure ongoing compliance. Keeping up with regulatory developments and industry best practices is essential for navigating GDPR requirements effectively.

Share this Post

CIPP/E Exam Prep Suite – 35% Off

CIPP/E Exam Prep Suite – 35% Off

This week only – use code CERT35!

GET STARTED!

Ready to kick-start your career?

GET STARTED NOW

Categories

About The Blog

Stay up to date with the latest news, background articles, and tips for your study.

Our latest video

22Academy

Tailored Training Solutions

Let's find the best education solution for your situation. We will contact you for Free Support!

Success! Your message has been sent to us.
Error! There was an error sending your message.
It’s for:
We will only use your email address to contact you regarding your education needs. We do not sell your personal data to third parties.