Six Legal Bases
Six Legal Bases for Processing – GDPR Article 6
The legal basis are covered in GDPR Article 6. In data protection terms a ‘legal basis’ (also referred to as a lawful basis) means the legal justification for the processing of personal data. One or more valid legal basis is/are required in all cases personal data are to be lawfully processed in line with data protection law. There is no hierarchy or preferred option within this list, but instead all processing of personal data should be based on the legal basis which is most appropriate in the specific circumstances of that processing. Legal basis also influence what data subject rights apply.
- Consent of the individual concerned
Consent of the individual (data subject) means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which the person, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to them.
- Contractual obligation
The organisation can rely on this lawful basis if it needs to process someone’s personal data: to deliver a contractual service to them; or because they have asked the organisation to do something before entering into a contract (e.g. provide a quote).
- Legal obligations of the organisation
The organisation can rely on this lawful basis, if it needs to process the personal data to comply with a common law or statutory obligation. This does not apply to contractual obligations between an organisation and individuals.
- Vital interests of the individual
An organisation is likely to be able to rely on vital interests as a lawful basis, if it is to protect someone’s life. But it cannot rely on vital interests for health data or other special category data if the individual is capable of giving consent, even if they refuse their consent.
- Public interest/public task
An organisation can rely on this lawful basis if it needs to process personal data: ‘in the exercise of official authority’. This covers public functions and powers that are set out in law; or to perform a specific task in the public interest that is set out in law.
- Legitimate interest
Is the most flexible lawful basis for processing but will not always be the most appropriate.
There are three elements to the legitimate interest basis. It helps to think of this as a three-part test. The organisation needs to:
-
- Identify a legitimate interest. It needs to be more specific. Common examples are health & safety; to protect the property; fraud or crime prevention; network and information security; etc. Note: You must include details of your legitimate interests in your privacy information.
- Show that the processing is necessary and proportionateto achieve the purpose above
- Balance your/the organisation’s interestagainst the individual’s interests and rights and freedoms. The legitimate interests can be the organisation’s own interests or the interests of third parties. They can include commercial interests, individual interests, or broader societal benefits. See further information on Balancing Test/Legitimate Interest Assessment below.