This article is a follow-up to our older blog about consent under the GDPR, where we briefly explained how consent works and what the limitations of consent are. We briefly mentioned that consent is not always necessary, and that personal data can sometimes be lawfully processed without a data subject's consent.
Today we will look closely at all the other legal bases for processing data under the GDPR. That's enough material to write a book about, so we will keep it as short and straightforward as possible.
- What is a legal basis?
- What are the legal bases under the GDPR?
- What legal basis should I choose?
- The legal bases
- Final Thoughts
Let's dive in!
What is a legal basis?
In a nutshell: to process data lawfully, you need to rely on one of six legal bases listed by Article 6 GDPR. From a practical standpoint, this means that you are only allowed to process data when you meet one of these legal bases. So, you can consider these legal bases as alternative requirements that must be satisfied.
What are the legal bases under the GDPR?
Art. 6(1) lists six legal bases:
- the performance of a contract
- compliance with a legal obligation
- the vital interest of the data subject or another natural person
- performance of a task in the public interest/exercise of a public authority
- the legitimate interest of the controller
These legal bases come with specific requirements, which can be considered a set of "pros and cons." For instance, consent is only valid when freely given, specific, informed, unambiguous, and revocable (see Articles 4(11) and 7(4)). If these requirements cannot be met, another ground must be used. Sometimes two or more grounds are available, while at other times, no ground may be available at all, in which case the data cannot be processed.
There is no order of priority between legal grounds. For instance, a data controller is free to choose between consent (listed first) and legitimate interest (listed last), provided that the requirements for each ground can be met in that specific scenario.
What legal basis should I choose?
As we said, each ground comes with specific requirements. Sometimes only one will be available, while at other times you might have the luxury of choosing between two or more.
Each legal basis has pros and cons. For example, let's assume you can choose between consent and legitimate interest. If you choose consent, then you need to collect in the first place. You also must ensure that the consent requirements (freely given, informed, specific, unambiguous) are satisfied, and be prepared to deal with the possibility that consent might be withdrawn.
If you rely on legitimate interest instead, you don't need to collect consent, and you don't need to worry that consent might be withdrawn later. But you will need to balance your interest with the data subject's rights, and the person the data refer to may object to the processing (more on this later).
So, choosing a legal basis is the result of a case-by-case assessment. For example, if the processing is very invasive, then your legitimate interest may be hard to balance, and consent may be a better choice. On the other hand, if you are very concerned about the withdrawal of consent, you may want to consider legitimate interest instead. There really is no one-size-fits-all solution, which makes it fun.
That being said, all grounds have specific requirements, and as a result, some are more readily available to certain controllers. Companies and other private entities typically rely on consent, contract, and legitimate interest. On the other hand, public entities usually rely on either legal obligation or public interest/authority.
The legal bases
We already discussed consent, so we'll look at the other grounds. There is much to say about legal grounds, and we can only scratch the surface here.
Under Art. 6(1)(b) GDPR, you can process data when the processing is "necessary for the performance of a contract" with the data subject or to enter a contract at their request. For example, if you are shipping goods to a customer, you need a delivery address and contact information to ensure the shipping goes well. You can process this data based on the performance of your contract with the customer.
Contract is a convenient and hassle-free legal basis. On the other hand, it is pretty restrictive as to what data can be processed because the notion of necessity must be interpreted strictly and in reference to the actual object of the contract.
In other words, you cannot provide for the processing of unnecessary data in a contract as a convenient excuse to rely on this legal ground. DPAs won't let you cheat the system like that. That being said, it is not always clear whether the processing of certain data is essential to a contract, so there can be some gray areas in practice.
Consent and contract are sometimes easy to confuse because contracts are typically concluded with consent. To be clear: just because a contract provides for the processing of personal data, does not mean that contract is the legal basis for the processing. For instance, the contract could be used to collect consent for the processing. But these distinctions can be difficult for consumers to understand! In order to avoid misunderstandings, it is a good idea to explicitly identify the legal basis for the processing of the data in a contract.
_Update: we later wrote about three decisions from the European Data Protection Board and a high-profile ruling of the EU Court of Justice, all involving Meta. This new case law confirmes that the legal ground of contract must be interpreted strictly.
Under Art. 6(1)(f), data can be processed when necessary for pursuing a legitimate interest of the controller or a third party. For instance, a company can install surveillance cameras on its premises based on its legitimate interest in protecting its property.
Legitimate interest is a very flexible ground and can be used for many purposes. It can cover a person's interest in protecting their property, a company's interest in running their business or advertising a product, an NGO's interest in pursuing humanitarian goals, and so on. Even a general interest can sometimes be invoked to rely on legitimate interest.
Legitimate interest is mean to add a degree of flexibility to the otherwise rigid system of legal grounds under the GDPR. In order to prevent the data controller from abusing this flexibility, the GDPR requires that the legitimate interest being invoked is not overridden by the interests, rights, and freedoms of the data subjects.
This assessment is commonly referred to as balancing. In a nutshell, balancing consists of three questions:
- is the interest legitimate?
- is the processing necessary?
- does the processing disproportionately impact the position of the data subject?
This sounds simple enough, but it is quite tricky. Balancing is a case-by-base assessment and needs to take many variables into account. Returning to our example: are the cameras active all the time or only outside working hours? Are the cameras placed in the company parking lot, or are they inside the workplace where they can capture footage of employees as they work? Do the cameras record footage of pedestrians moving down the street? All of these questions are relevant to the balancing of legitimate interest.
In practical terms, the controller will typically carry out the balancing test by drafting an assessment called a legitimate interest assessment or LIA. While not mandatory under the GDPR, a written assessment is the best way for the controller to show that they did their homework and assessed the balancing in depth.
There is much more to say about balancing, but the bottom line is that balancing is tricky, and you should consider this when deciding to rely on legitimate interest. On the other hand, legitimate interest is a very flexible ground, so it may be the only choice in some scenarios.
Two last points. First, the GDPR provides that public authorities cannot invoke this ground in performing their tasks (Article 6(1)). This is because public authorities are usually in a position of power relative to the citizen, and because they can use the fairly broad legal ground of the performance of a task in the public interest (see below).
Second, the data subject has a right to object to the processing of their data based on legitimate interest. Notably, this right also functions as an opt-out mechanism for direct marketing based on legitimate interest. We won't go into more detail, but if you're curious, the ICO's website is a good source of information on this topic (there is no difference between the GDPR and the UK GDPR in this regard).
Under Art. 6(1)(c), personal data can be processed when the processing "is necessary for compliance with a legal obligation." For example, a bank can process its customers' personal data to fulfill its obligations under anti-money laundering regulations.
Art. 6(3) further specifies that the source of a legal obligation must be EU or Member State law. The notion of law is broad and includes rules such as administrative acts or judicial decisions. However, this law must require the data to be processed- simply authorizing the processing will not do. Additionally, this law must fulfill specific requirements of proportionality laid out by the GDPR, which means that Member States cannot make any processing of personal data lawful by simply creating a law for that purpose.
Legal obligation is a relatively hassle-free ground but is also very restrictive, as it can only used in specific scenarios and for specific purposes.
Under Article 6(1)(d), data can be processed to protect the vital interests of the data subject or of another person. For example, if an employee is in imminent danger, the employer can provide law enforcement with GPS data from the company's care so that they can find them and take action as soon as possible.
In this context, vital interest means a life-threatening situation is taking place. Vital interest is a rather exceptional ground and not something you would use for day-to-day data processing.
Public interest or exercise of a public authority
This is a long one: under Art. 6(1)(e), data can be processed when it is "necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller." For instance, a public school can process student grades based on its public task to further education. And the tax authority can process your personal data when performing an inspection because they can do so under the law- if the authority needed consent, no one would pay their taxes!
This ground is typically used by public authorities and public entities. It can be used by private entities, but only in specific scenarios- for instance, when a private company provides a public service under a procurement contract.
Finally, the right to object we mentioned earlier also applies to the processing of data based on public interest/authority.
Handling personal data correctly is important, but guidelines and laws are not always easy to understand. We tried to create a comprehensive overview to give a bit more clarity on the different legal bases for data collection. The GDPR has set the boundaries for what's possible and what is not. As a business, you must adhere to these laws to protect your customer's privacy. Having a clear understanding of these legal bases reduces your company's risks of lawsuits and data breaches.
Even if the GDPR did not exist and there were no laws to violate concerning data protection, organizations are morally obliged to handle the data of their website visitors in a responsible manner. At least, this is what we believe at Simple Analytics.
We believe in creating an independent web that is friendly to website visitors while providing the insights you need to run your business. If this resonates with you, feel free to give us a try.