Under GDPR, every organization processing personal data must have a lawful basis for doing so. This legal foundation ensures that personal data is handled responsibly and in compliance with the law. But what exactly are lawful bases, and how can businesses determine the right one for their data processing activities? Let’s explore.

A lawful basis (or legal basis) is the legal justification required under GDPR to process personal data. Organizations must identify and document the appropriate basis for processing before handling any personal data (Article 6). This choice is critical because it not only ensures compliance but also determines the rights available to individuals, such as withdrawing consent or objecting to processing.

Lawful basis is a very important aspect of the GDPR since it ensures transparency and accountability in data processing and directly impacts individuals’ rights.

For example, using consent as a lawful basis allows individuals to withdraw that consent at any time, while processing under a legal obligation doesn’t permit opt-out.

The Six Lawful Bases for Processing

GDPR provides six lawful bases for processing personal data. Each basis applies to specific scenarios:

1. Consent: The individual has given clear, affirmative consent for data processing. (Articles 4(11), 6(1)(a), 7)
   • i.e. Signing up for a newsletter or agreeing to cookies on a website.
2. Contractual Necessity: Processing is required to fulfill a contract or pre-contractual obligations. (Article 6(1)(b))
   • i.e. Using a customer’s address to deliver purchased goods.
3. Legal Obligation: Processing is necessary to comply with a legal requirement. (Article 6(1)(c))
   • i.e. Retaining employee payroll records for tax purposes.
4. Vital Interests: Processing is necessary to protect someone’s life. (Article 6(1)(d))
   • i.e. Sharing medical information during an emergency.
5. Public Task: Processing is necessary to perform a task in the public interest or official duties. (6(1)(e))
   • i.e. Collecting census data.
6. Legitimate Interests: Processing is necessary for the legitimate interests of the organization or a third party, provided it doesn’t override individual rights. (6(1)(f), Recital 47)
   • i.e. Fraud detection and prevention.

How to Choose the Right Lawful Basis

When deciding on a lawful basis for processing, organizations must consider:

1. Purpose: What is the reason for processing the data?
2. Necessity: Is the processing essential to achieve this purpose?
3. Proportionality: Does the processing respect individuals’ rights and freedoms?

Organizations must document their chosen lawful basis and communicate it to individuals via a privacy notice (Articles 5(2), 13). For example, a privacy notice should explain whether the data is processed based on consent, contractual necessity, or another basis.

What Happens Without a Lawful Basis?

Processing personal data without a lawful basis is a serious breach of GDPR and can result in:

• Fines: Up to €20 million or 4% of global turnover (Article 83).
• Data Subject Complaints: Individuals may challenge unlawful data processing through complaints or legal action.

Basically, a company using personal data for marketing without obtaining consent or relying on a legitimate basis risks fines and reputational damage.

In conclusion, understanding and selecting the correct lawful basis for processing is fundamental to GDPR compliance. By aligning data processing activities with one of the six lawful bases, organizations can ensure accountability, transparency, and respect for individual rights. Proper documentation and communication through privacy notices further demonstrate a commitment to responsible data practices.

References

1. GDPR Article 4(11).
2. GDPR Article 6.
3. GDPR Article 7.
4. GDPR Article 13.
5. GDPR Article 83.
6. Recital 47: Legitimate Interest.
7. ICO Guidance on Lawful Basis.