The concept of legal bases refers to the legal grounds or justifications for collecting and processing personal data. Under data protection law, organizations must have a legal basis for collecting and processing personal data. In other words, they must demonstrate that they have a legitimate reason for doing so.
There are several different legal bases that organizations can use to justify the collection and processing of personal data, depending on the applicable legal framework as well as the specific circumstances and context. Some common examples of legal bases include:
Consent: This is perhaps the most common legal basis for collecting and processing personal data. For an organization to rely on consent as a legal basis, the individual must have given explicit, freely given, and informed consent for their personal data to be collected and processed.
Contract: If an organization needs to collect and process personal data to fulfill a contract with an individual, it can use the contract as a legal basis. For example, suppose an individual has entered into a contract with an organization to purchase a product or service. In that case, the organization can collect and process the individual's personal data (for example, a delivery address) to fulfill that contract.
Legal obligation: In some cases, the law may require an organization to collect and process personal data. For example, an organization may be required to collect and process personal data to comply with tax or employment laws. In these cases, the legal obligation can be used as a legal basis for collecting and processing personal data.
If you’re curious about legal bases in the GDPR, we wrote a blog on the topic and an in-depth blog on consent.