GDPR: legal grounds for lawful processing of personal data

The General Data Protection Regulation (GDPR) mentions several legal grounds for the lawfulness of processing of personal data of data subjects. A lawful basis for processing personal data consists of at least one of those legal grounds and can vary per personal data processing activity and purpose.

The need for a lawful basis for processing personal data under the GDPR (with the necessary exceptions) isn’t new. In its Recitals and Articles the GDPR says pretty much the same as its predecessor, the Data Protection Directive (Directive 95/46/EC) did on several fronts. Yet, there are impactful changes too.

GDPR lawfulness of personal data processing - 6 main legal grounds GDPR Article 6

The main Recitals and Articles on lawful processing and lawful processing grounds as such, to begin with, are among those where not too much has changed.

Recital 39 of the GDPR recitals has this to say about the lawfulness, fairness, transparency and purpose of personal data processing: any personal data processing must be lawful and fair, it should be transparent to data subjects which personal data regarding them are processed and the principle of transparency requires that ANY information and communication regarding personal data processing is easily accessible and easy to understand. Along with the need to use clear and plain language the latter is explicitly mentioned in the scope of the purposes of the processing. Remember purpose, it comes back.

Recital 40 of the GDPR states that in order for processing to be lawful, personal data should be processed on the basis of the consent of the data subject concerned or some other legitimate basis.

That legitimate basis should be laid down by law with the law being the General Data Protection Regulation itself or other laws of the EU or its member states.

Although consent (which is not strictly the same as explicit consent, even if de facto the line can be really thin) is the best known of the legal grounds as they are summed up in GDPR Article 6 of the GDPR text on lawfulness of processing, it is not always the best path to take.

For each personal data processing activity it is key to look at what the best legal ground is as is also advised in the guidelines of the Article 29 Working Party (European Data Protection Board) on consent from end November 2017. Checking what the best legal basis for the lawfulness of each processing activity is starts before the actual processing. And, obviously, in the scope of GDPR compliance this means that you already have a list and mandatory record of your personal data processing activities.

In the mentioned guidelines it is emphasized that consent is one of the six lawful bases to process personal data as summed up in that Article 6. Yet, at the same time when a controller initiates activities involving personal data processing it should be considered whether consent is the most appropriate legal ground for lawful processing or whether another one might be better. Do remember that when consent is chosen for any particular processing activity you also need to follow all rules and rights regarding consent.

GDPR lawfulness processing personal data - 6 legal grounds for processing GDPR Article 6

Of course you can’t always chose another one and must be sure. That starts with knowing and understanding all the six legal grounds for processing personal data. So a quick look at all of them by way of a reminder.

Do also remember that lawfulness of processing means that AT LEAST one of the six legal grounds applies, in other words: one is enough.

In the GDPR Articles consent is mentioned first as a legal basis for the lawfulness of processing personal data in both Article 6 and Recital 40.

Whereas the general rules regarding a lawful basis for consent haven’t changed that much the new rules on consent as a lawful basis are highly impactful for organizations (both data controllers and data processors).

Consent means that the data subject has given consent for a personal data processing activity for one or more specific purposes. As mentioned, the notion of purpose is key here. If the data subject, a.k.a. natural person, consents to processing without knowing the (several) purpose(s) in full and in an easy to understand way, then consent is not a legal ground for processing as it’s by definition not freely given, specific, informed and unambiguous. Moreover, consent cannot be bundled. So, for each data processing activity within one broader operation the general rule is that consent is not valid when it’s for all activities at once. By way of an example: giving consent to a range of marketing-related purpose is not valid.

Article 6 of the GDPR says that the consent of the data subject must be given in relation to “one or more specific” purposes and that a data subject has a choice in relation to each of them. That is clear: specific purposes. Along with all information duties, the several data subject rights once consent is used as a lawful basis for processing and far more it’s not always the ideal choice to say the least. However, the GDPR and its several legal grounds for lawful processing are not like a menu. The rule is and remains that for the purposes of all personal data processing activities, the most appropriate legal ground for each purpose/activity is chosen.

2. Contractual necessity as a lawful basis for processing

The second legal ground for lawful processing as mentioned in GDPR Article 6 is the necessity of personal data processing for a contract.

A natural person or data subject is a party in a contract or has to take steps in order to enter a contract, at his or her request, and in order to enter in a contract or perform a contract, it is needed and agreed that personal data processing happens within this contractual scope. This isn’t really new in comparison with the Directive that is replaced by the GDPR.

GDPR Recital 40 mentions ‘the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract’ as a legitimate basis of lawful processing and GDPR Recital 44 simply states that processing should be lawful where it is necessary in the context of a contract or the intention to enter into a contract.

Each contract by definition means that personal data are processed. You can’t enter in any contractual relationship without providing personal data and identifiers, depending on the nature of the contract. At the very least this concerns contact information, in specific types of contracts such as an insurance contract far more is required. It is best not to stretch the definition of a contract too far, for example in order to avoid having to use consent. In the end everything can be seen as a contract and there will be cases where controllers take a far too broad approach so they can use a contract as a basis for lawful processing.

On this very site we could for instance write a long terms and conditions text stating that visiting us establishes a contract for which we have the rights to process this and that. Don’t try it: the required data to enter into a contract or perform a contract really need to be provided in the scope of the contract and services offered.

When it boils down to contracts do check out specific rules that apply for specific industries or job functions. An employment contract is not a request for a home loan is not an additional health insurance is not, well, the list goes on.

The third legal basis for lawful processing is compliance with legal obligations.

If the controller has a legal duty for which particular personal data need to be processed, then than processing is permitted. This compliance with a legal obligation for which processing is needed and to which the controller is subject isn’t new either.

However, here as well particular rules apply. What has changed in comparison with the predecessor of the General Data Protection Regulation is that Recital 45 states that “where processing is carried out in accordance with a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, the processing should have a basis in Union or Member State law”. The limitation to EU law or EU member state laws does come with consequences.

4. Vital interests and lawful personal data processing

The protection of the ‘vital interests’ of a natural person is a fourth ground for lawful processing.

In this case the natural person doesn’t need to be a data subject, it can also be another natural person. It’s of course not up to the controller to define what a vital interest is. We’re really talking about life threatening circumstances here where there is no other legal ground for processing but where not processing personal data would essentially mean that someone would die if you don’t take action and thereby need to know a few things about the natural person who is in danger.

If there is a serious accident you do want to try to know a few things about the victim’s medical history such as allergies towards specific medication, GDPR or not.

Additionally some types of personal data processing in such cases could not just serve the vital interests of the data subject or other natural purpose but also serve public interest, for instance in case of disasters, epidemics and so forth as GDPR Recital 46 states. And that brings us to the next legal ground for lawful processing: reasons of public interest as such.

5. Public interest as a basis for lawful processing

Public interest as a basis for lawful processing is described in GDPR Article 6 as follows: “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”.

This is again pretty much the same as in the Data Protection Directive and in non-Legalese simply means that that public interest remains a ground for processing with public interest meaning, among others, performing several possible public tasks (e.g obligations with regards to VAT and taxes), the tasks you have as a public authority and which require personal data processing in accordance with legal obligations and other data processing operations which are seen as being of public interest such as scientific research, public health and more.

From GDPR Recital 45: “It should also be for Union or Member State law to determine whether the controller performing a task carried out in the public interest or in the exercise of official authority should be a public authority or another natural or legal person governed by public law, or, where it is in the public interest to do so, including for health purposes such as public health and social protection and the management of health care services, by private law, such as a professional association”.

The final of the six grounds serving as a lawful basis for personal data processing in the first paragraph of GDPR Article 6, is the often mentioned ‘legitimate interests’ category.

Legitimate interests already existed as a lawful basis for processing personal data in the Directive but the GDPR adds to it in the form of stipulations when it does NOT apply. Article 6 states that processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party. A first exception, which existed before is when legitimate interests are overridden by the interests or fundamental rights and freedoms of the data subject (of course including those fundamental data subject rights under GDPR). Regarding the latter, the GDPR, in contrast with the Directive, however, explicitly focuses on the case when the data subject is a child and parental permission is always needed. Moreover, the GDPR also explicitly says that the legal ground of legitimate interest doesn’t apply to personal data processing by public authorities in the performance of their tasks.

GDPR Recitals 47 and 48 give some examples of legitimate interest (although their main aim is to emphasize what rights, freedoms and so on override legitimate interest).

  • One such example of a legitimate interest would be where ‘there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller’.
  • Another example: the processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest.
  • GDPR Recital 47 also states that the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.
  • In other Recitals other legitimate interests are mentioned, ranging from network and information security to the internal workings in a group of undertakings.

The key thing to remember about legitimate interests is that these interests must be balanced and weighed against data subject rights and risks. They must be proportionate, clearly explained, more than economic in nature and of course make processing necessary. With the additional stipulations regarding children and the many elements to take into account when a controller weighs the legitimate interests and are numerous it is not the easiest of the fundamental legal grounds for lawful processing.

Additional facts on lawful processing

Obviously there is far more on the processing of special types and categories of personal data as previously mentioned.

There are also special rules regarding data concerning criminal convictions and offences and member states can determine more precisely the requirements for processing and also can determine other measures for far and lawful processing, among others in the scope of provisions regarding to specific processing situations which are tackled in Chapter IX of the GDPR text.

Make sure you carefully list your data processing activities and find the most appropriate lawful basis for personal data processing, which in practice needs more than this overview, certainly for special categories of personal data and organizations (controllers and processors) in very specific industries such as healthcare and even groups such as religious organizations for which additional or special rules apply.

Next in regulations and compliance: EU DORA Digital Operational Resilience Act

Top image: Shutterstock – Copyright: Billion Photos – Vectors in graphic: Shutterstock – Copyright: Marina Shevchenko –All other images are the property of their respective mentioned owners. Although the content of this article is thoroughly checked we are not liable for potential mistakes and advice you to seek assistance in preparing for EU GDPR compliance.