What are legal bases in GDPR ?

Six legal keys for your compliance

Processing personal data in a compliant manner requires that you clearly define why you need the data, as well as knowing on what legal grounds your processing will be based.

These legal grounds are what we call legal bases. In total, there are six of them: you’ll need to choose one for each of your processing purpose.

Legal bases provide an additional compliance framework for your processing purposes, as some may require additional information or limit the scope of certain rights. Some are also applicable for specific contexts only.

Let’s explore these legal bases and understand in what context they apply, as well as what they entail in terms of responsibility for you. For the sake of convenience, I ordered them by frequency: the ones you should encounter the least are at the bottom of the list.

If you have entered a contractual relationship with an individual (or are about to do so), you may need to collect and process personal data in order to achieve your contractual requirements.

Thankfully, GDPR covers this use-case perfectly with this legal basis, as a contract between you and an individual renders lawful data collection made in the context of said contract.

For example, if you are a pizzeria owner that does delivery, any data required to process your orders and deliver them is covered by your contractual relationship with your buyers.

Watch out however, as contract between organizations are not a reliant legal basis for the collection of their individuals’ personal data. Always make sure that the contract is between you and the targeted individual, not its employer/client/organization.

Along with the contract, this is probably the most evident legal basis of the bunch. As multiple laws and regulation predate the GDPR, processing personal data to comply with them overrides the other compliance requirements of the GDPR.

You’ll still need to explain what you do with the data, and protect it efficiently, but you’ll have to process no matter what, as it is a matter of compliance (to other legal requirements).

For example, you may need to analyze bank transaction data in order to comply with AML (Anti Money Laundering) regulations, or keep a copy of your invoices for a specific period of time.

You’ll need to clearly identify which regulations you have to comply with, and be able to provide their reference to any data subject that requests them.

Consent is the most well-known as well as one of the most misunderstood legal bases in the GDPR. Either people think that everything should require consent now, or they underestimate the associated workload that goes with a compliant consent collection process.

Consent, in itself, is basically asking the data subject’s authorization for processing their personal data for a given purpose. He may or may not agree, and access to a service or product should absolutely not be conditioned on their consent.

For example, a site asking for your consent to provide you with targeted ads, only to kick you out of the website if you refuse, is not a compliant consent according to GDPR. (Note: this could be a case of legitimate interest as explained in the next paragraph, but not consent)

In fact, a compliant consent according to the GDPR requires fulfilling a large heap of conditions, including clearly informing the data subject, having a given consent be specific to only one purpose, and being able to audit these consents.

The ICO provides great guidance regarding what needs to be done to make consent compliant:

This is the tricky one. Back when GDPR was still a new thing, many of my clients wanted to make all of their processing activities be based on this legal basis, without realizing the risk that it put them into.

Even if Legitimate Interest seems to be a catch all for anything that you want to do without having to involve the data subject (either by contract or consent), it requires a whole lot of engagement from you, and multiple assessments that you’ll need to complete and document to ensure that the user’s privacy is respected.

In case of audit or control, you’ll need to be able to provide a Legitimate Interest Assessment for each of the processing activities that you base on this legal basis, as well as be able to prove that you respect any constraint identified during these assessments.

Once again, the ICO provides excellent guidance in order to achieve compliance:

This one is rather evident as well. If you need to process personal data to ensure the health & safety of individuals, you should be able to do so. Otherwise, it would be rather tricky to ask the consent of someone who is having a seizure, or is in the midst of a natural disaster.

Given that health data is usually in scope for this kind of processing activity, you’ll need to take extra precautions in regards to their access and security. You’ll usually also have to carry out a Privacy Impact Assessment to audit the user’s privacy and cover your grounds correctly.

I’ll make this short: this legal basis only applies if you are exercising official authority, or a doing some kind of public work that involves personal data. It’s a really rare use case, and should be disregarded unless specifically recommended.

When initiating a personal data processing, you should choose your legal basis wisely. There is no “one size fits all” solution, but having a clear understanding of when/where each one applies, and what they entail, may help identify the most suitable for your use case.

Related posts:

This article is part 3 of a 3-part series in describing the food and agricultural project Farms Not Arms is building. All renderings in this article are by our team member, landscape architect Emily…

The diner was bustling with teenagers. Their laughter roared over the sound of toasters going off and eggs sizzling on the grill. Dina sat in her usual corner booth, sipping on a hot cocoa, observing…

bibit jeruk limau tanaman // sambal sudah berbuah berbentuk tanaman hidup sudah berbunga dan berbuah tinggi tanaman : 75 cm s/d 1 meter up Tanaman jeruk limo merupakan tanaman perdu atau pohon kecil…