Lawful basis: a short introduction

It might be useful to start this with the answer to one frequently asked question.

Qusetion: Does a data controller have to have my consent before they can process my personal data?

Answer: No. They do not.

European data protection law is distinguished from others elsewhere by requiring a lawful basis for any and all processing of personal data. Many laws relating to data processing in the rest of the world do not have this requirement.

“All the DPC wants for Christmas is for people to know that consent is not the only possible legal basis for processing personal data. There may be other, more appropriate justifications for sending corporate Christmas cards, such as ‘legitimate interest’.”

‘Does the GDPR really say that? Festive edition’, Data Protection Commission of Ireland, December 2019

According to the principles of data protection, your personal data must be processed lawfully. Article 6.1 of the GDPR sets out six lawful bases which a controller can use to process your personal data.

Only one of these is consent. In other words, your consent is frequently not necessary in order for an organisation to process your personal data.

There is no hierarchy to these lawful bases. This list is numbered just for convenience.

1. Processing shall be lawful only if and to the extent that at least one of the following applies:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(c)processing is necessary for compliance with a legal obligation to which the controller is subject;

(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

1. Consent

Processing of personal data is lawful if “the data subject has given consent to the processing of his or her personal data for one or more specific purposes.” There are very specific rules set out in the GDPR for data controllers who wish to process your personal data based on your consent. There’s a whole Article (number 7) of the Regulation devoted to what makes your consent valid or invalid. If the data controller doesn’t do this properly then your consent is invalid and they are unlawfully processing your personal data. You have the right to withdraw your consent at any time. It must be as easy for you to withdraw your consent as it was to give your consent.

2. Contract

Processing of your personal data is lawful if it is “necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.” The processing must be genuinely necessary to perform the contract for this basis to apply.

For example, if you order a delivery of sushi, the restaurant can give your address to the delivery person because your address is necessary to deliver the sushi, and therefore fulfil the contract.

3. Compliance with a legal obligation

Much processing of personal data takes place using this lawful basis. For example, employers must process personal data about their employees for taxation purposes, and businesses must process information about their customers for the same reason.

4. Vital interests

Vital interests usually means a matter of life and death. Personal data can be processed if it is necessary in an emergency situation to keep someone alive. Vital interests should only be used in a scenario where it is not possible to use another lawful basis, for example if someone is unconscious after an accident and unable to give consent, but medical staff need access to their medical records to discover if they use a particular type of medication.

Recital 46 GDPR:

The processing of personal data should also be regarded to be lawful where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person. Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis.

5. Performance of a task carried out in the public interest or the exercise of official authority

This is usually for public sector data controllers. If there is a national or EU law which sets out a requirement for them to process your personal data then they will use this lawful basis.

6. Legitimate interests

This means that a data controller can process your personal data for legitimate purposes of their own i.e. their legitimate interest(s). Many common functions of businesses will be covered by legitimate interests. For example, saving website visitors’ IP addresses for a limited period of time for security or fraud prevention purposes. A sushi delivery restaurant like the one mentioned above might store your address for a limited period of time if they wish to save you the inconvenience of typing it in frequently.

If they are using legitimate interests as a lawful basis then they must tell you

  • what those legitimate interests are
  • how these legitimate interests of theirs outweigh your rights and freedoms (i.e. your interests)

Lawful basis and your rights

Your rights as a data subject vary depending on which lawful basis a data controller is using to process your personal data. For example, you cannot object to the processing of your personal data if consent is the legal basis, but you can withdraw your consent at any time. Nor can you object to processing which is carried out under the contract, legal obligation or legal obligation bases.

You generally cannot request that your data is erased (your right to be forgotten) if the controller is using the legal obligation or performance of a public task lawful bases.

Where next?

Read more elsewhere
Topics

Data Protection Fundamentals (basics, definitions and more …)
Your Rights (all your data protection rights: access, information, rectification and more …)
In More Detail (explorations and explanations of data protection concepts …)
Keeping Track (tracking Subject Access Requests and complaints to Supervisory Authorities …)