Data controllers need to rely on a “legal basis” in order to process personal data lawfully. It is essential to identify the appropriate legal basis as it may come with specific requirements (e.g. consent must be free, specific, informed and unambiguous) and have consequences on individuals’ rights (e.g. the right to portability only applies when the legal basis is consent or a contract).
On this page, you will find more information on the different legal bases under the GDPR. Find out more about the rights that apply per legal basis.
What are the possible legal bases under the GDPR?
Data controllers can only process personal data in one of the following circumstances:
- with the consent of the individuals concerned;
- where there is a contractual obligation (a contract between your organisation and an individual);
- to meet a legal obligation under EU or national legislation;
- where processing is necessary for the performance of a task carried out in the public interest under EU or national legislation;
- to protect the vital interests of an individual;
- for your organisation’s legitimate interests (except if these are overridden by the interests or fundamental rights of individuals) .
In addition, the GDPR establishes additional conditions for the processing of sensitive data.
Consent
Your organisation may decide to rely on consent for the processing of personal data.
If a data controller uses consent as a legal basis for the processing of personal data, they must ensure that this consent is freely given, informed, specific and unambiguous. This means that individuals must have a genuinely free choice regarding whether or not they agree with the processing of their personal data; they need sufficient information so that they can understand which data is processed, for what purpose, and how this is done; and they need to be able to freely withdraw their consent (without any negative consequences) if they change their mind later on.
If the organisation has to process the data and cannot truly enable individuals to withdraw their consent, this is an indication that consent is not the appropriate legal basis of the processing, and there is a need to assess if another legal basis could be applicable.
Conditions for consent
Free
Consent is freely given when individuals are able to refuse and withdraw their consent with no risk of external pressure or negative consequences. Individuals must also have the right to withdraw their consent at any time; this process must be made easy for individuals to do (as easily as it was to provide it). Withdrawing consent must not affect the processing of the individual’s personal data that was done prior to this withdrawal, when consent was still valid.
For example, in principle, employees will not be in a position to freely provide consent to processing carried out by their employer, as employees may feel that they are unable to refuse their employer’s request.
Specific
For consent to be valid, it must also be specific to the processing purpose. This condition is closely related to the condition of informed consent: individuals must be informed of the specific purposes in a plain and easy to understand language, so that they have a clear idea for which purposes their data is being processed. This also means that if the purposes of the processing operation change or if additional processing operations are added, individuals should be asked for their consent again. Likewise, if a processing operation has multiple purposes, consent should be given for each of them.
For example, a streaming service collects their clients’ personal data to offer them tailored viewing suggestions. After some time, the streaming service decides to share their clients’ personal data with third parties so that they can send targeted advertising to the clients based on their viewing habits. As this is a new purpose, the streaming service will have to ask for their client’s consent.
Informed
When requesting consent from an individual, your organisation must ensure that this request is communicated to the individual in an intelligible and easily accessible form, using clear and plain language. Information should be given about the purposes, the identity of the controller, the categories of data, the recipients and the right to withdraw consent.
Unambiguous
For consent to be unambiguous, there should be a clear affirmative action (without pre-ticked boxes and made separately from applicable general conditions).
It is recommended to refresh the consent at appropriate intervals. In addition, you must be able to demonstrate that the individual whose data is processed has given their consent, for example through a written or signed declaration, or by a deliberate action like ticking a box.
Conditions applicable to children’s consent
As a data controller, you should take reasonable efforts to check the age of the individual.
Children aged 16 and above are considered as being able to give their own consent.
For children below the age of 16, your organisation must request consent from that child’s legal guardian or parent. In this case, you would have to take reasonable efforts to check that the person consenting on behalf of the child has the parental responsibility. Please note, however, that the GDPR gives EU Countries the possibility to, through national law, set the age of consent between 13 and 16, when services are provided via internet. Therefore, it is advised to check your national provisions on this matter.
When consent can be provided by children, the language used to communicate the information relating to the service should be adapted to their age.
Performance of a contract
Processing the personal data of an individual for the performance of a contract is a valid legal basis, for example, in the following cases:
- Your organisation needs to process an individual’s personal data to provide a service.
- A potential client or customer has asked you to do something before entering into a contract with your organisation, for example they may wish to receive a quote for the services that you provide, for which you may need to process some of their personal data.
The processing must be necessary for the performance of a contract. In practice, this means that your organisation cannot proceed with the execution of the contract or service without the personal data in question. It is recommended that your organisation documents the reasons explaining why the processing of an individual’s data is necessary for the performance of a contract.
In addition, you should try to collect the least amount of personal data necessary to perform the contractual service or for taking relevant pre-contractual steps. In particular, you cannot use the contract to artificially expand the categories of personal data or types of processing operations. Rather, you should ensure that there is a genuine mutual understanding of the contractual purpose, based on the expectations of an average individual when entering into the contract.
This legal basis may also apply to certain actions related to contractual warranty, and to certain actions that can be reasonably foreseen and necessary within a normal contractual relationship, such as sending formal reminders about outstanding payments or correcting errors or delays in the performance of the contract.
This legal basis does not apply, however, if you wish to process an individual’s personal data for marketing purposes, fraud prevention, targeted advertising or any other purposes related to your organisation’s business model. In such cases, other legal bases may be available, such as consent or legitimate interest, provided that the relevant criteria are met.
Legislations may also impose the processing of personal data, even after the termination of the contract (for instance, to keep records for accounting purposes).
Naturally, the contract must also be valid under the applicable law.
In practice
- You are a company that sells clothes, both online and in a shop, you may need to process some of your customers’ personal data, such as credit card details, to be able to process the purchases made by your customers for your clothes. In this case, processing the personal data of customers may be necessary for the performance of a contract.
- You are a company offering home insurance. A potential customer has requested a quote for their home insurance. As such, some of their personal data may be necessary for you to provide them with an accurate price for their home insurance.
- You are a company that sells books, which some of your customers have purchased. When these customers purchased these books, you may have collected some of their personal data, which was necessary to process the transaction. You now wish to process these customers’ personal data, including data about their previous purchases, to recommend other books that they may like. You cannot rely on the processing of personal data for the performance of a contract as a legal basis because processing customers’ data for the purpose of advertising other books is not necessary for the performance of a contract.
As such, your company will need to request customers’ consent to be able to advertise other books to them or, depending on the circumstances, may rely on its legitimate interest.
Compliance with a legal obligation of the controller
The GDPR provides for another legal basis, namely: it is necessary for compliance with a legal obligation to which the data controller is subject.
This legal basis can be relied on where a processing operation is imposed on an organisation by EU or national legislation. More specifically, four conditions must be met:
- the legal obligation must be defined by EU or national law to which the controller is subject;
- these legal provisions must establish a clear and specific obligation to process that personal data;
- these provisions must at least define the purposes of the processing;
- this obligation should be imposed on the controller and not on the data subjects.
If these conditions are not met, the processing operation cannot be based on the legal obligation and another legal basis must be sought.
The GDPR provides for many different circumstances in which data controllers are legally obliged to process their customers’ or clients’ personal data. For example, employers usually need to process their employees’ personal data for social security purposes, or a business often needs to process their clients’ or customers’ personal data for tax purposes.
Read more
Vital interests of an individual
Processing data to protect the vital interests of an individual can be relied on only in rare and specific cases. This may be the case, for instance, if you need to process personal data to protect someone’s life. However, based on the GDPR, this legal basis is very limited in scope and can only be relied on in the case of emergencies.
In practice
Your organisation offers rafting trips. During one of the trips you organised, one of the participants is seriously injured. As a result, the participant is unconscious and must receive urgent medical care in a hospital. As an organisation you may need to communicate (= process) that individual’s personal data to the hospital that needs to treat them to save that person’s life. In this context, you may be able to process this individual’s data to protect their vital interest.
Public interest
In some specific cases, your organisation may be able to process individuals’ personal data for a task carried out in the public interest. In this case, the processing must have a basis in EU or national law. Its purpose must be determined in that legal basis or be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller. Therefore, this legal basis may be relevant, in particular, for processing operations by public authorities for the purpose of carrying out their tasks.
In practice
Your organisation is a medical practice, which includes a dentist and a general practitioner. You may need to process both the dentist’s and the general practitioner’s personal data to ensure that their qualifications, moral and ethical conduct meet the standards set in the country where your medical practice is located.
Legitimate interest
Your organisation may be able to process individuals’ data for matters of legitimate interests, provided that these interests (commercial, protecting your property, etc.) do not create an imbalance to the detriment of the rights and interests of individuals.
While the GDPR and relevant case law of the Court of Justice of the European Union (CJEU) provide for examples of legitimate interests, there is no exhaustive list.
However, you must ensure that this interest respects a certain number of requirements:
- it must be lawful, clear, real and present;
- the processing must be a necessary for pursuing this interest;
- the legitimate interest must take into account the individual’s rights to data protection, which cannot be overridden. In the context of this requirement, the controller must weigh its legitimate interest and the interests or fundamental rights and freedoms of individuals and must also consider what they may reasonably expect. This balancing exercise must be made in light of the concrete conditions under which these operations are carried out.
In practice
You run a renovation company. One of your customers disputes the quality of a kitchen renovation and refuses to pay the bill in full. As a first step, you transfer the customer’s data to your lawyer in order to negotiate a settlement with the customer. As the customer still refuses to pay, you engage a debt collection agency. You only transfer the personal data necessary for the procedure to the debt collection agency and the agency only carries out limited checks to confirm the contact details of the customer and to start a court procedure.
While the first step may still fall within the processing necessary for the performance of a contract, further steps taken, such as the engagement of a debt collection agency could be considered as within the legitimate interest of the controller. As the actions taken by the agency are not too intrusive and the impact on the customer is limited, legitimate interest could be an appropriate legal basis.
Processing of sensitive personal data
Additional requirements apply if you intend to process data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation. These special categories of data are commonly referred to as “sensitive data”.
The processing of sensitive data is generally prohibited, except in the following specific cases.
- The individual has given their explicit consent for their sensitive data to be processed.
- The processing of sensitive data is necessary for the data controller to fulfil their obligations, specifically in the context of employment, social security and social protection. For example, the data controller may need to process a person’s sensitive data to be able to determine if they are entitled to certain social security benefits or employment stipends.
- The processing of sensitive data is necessary to protect the vital interests of a person where the individual is physically or legally incapable of giving consent. For example, if an individual is left unconscious as a result of an accident and requires immediate medical care, their special categories of personal data may need to be processed for the appropriate medical care to be delivered.
- The processing of sensitive data is carried out in the context of the legitimate activities of a foundation, association or other non-for-profit organisation with a political, philosophical, religious or trade union aim, and only for the processing of the personal data of their members, former members or persons having regular contact with them.
- The sensitive data was manifestly made public by individuals.
- The processing of sensitive data is necessary in the context of legal proceedings.
- The processing of sensitive data is necessary for matters of substantial public interest.
- The processing of sensitive data is necessary in the context of preventive or occupational medicine. For example, assessing an individual’s sensitive data, such as their medical data, may be necessary to determine their working capacity as an employee.
- The processing of sensitive data is necessary for matters of public health on the basis of EU or national law. For example, processing individuals’ sensitive data may be necessary to ensure a high quality of health care and a high quality of medical products, or to combat serious health threats, such as viruses.
- The processing of sensitive data is necessary for matters of archiving purposes in the public interest, or for scientific, statistical, historical, or research purposes. For example, processing sensitive data may be necessary to provide accurate statistics on a country’s situation in a particular field.
Checklist for processing sensitive personal data
- Ask yourself whether you need to process an individual’s special categories of personal data for the processing envisaged.
- Identify the legal basis (= legal justification) for processing an individual’s personal data. You should refer to Art.6 GDPR.
- Identify if the additional conditions for the processing of sensitive data are respected. You should refer to Art. 9 GDPR.
- Identify the risks and data protection safeguards, such as the technical and organisational measures, that your organisation may need to put in place when processing individuals’ special categories of personal data.
- Do not forget to keep a record of your reasons for processing an individual’s special categories of personal data, of the risks that this may entail, and of the measures you have put in place to mitigate those risks.