GDPR Legal Grounds for Processing Personal Data
Article 6 of the General Data Protection Regulation (GDPR) sets out six legal grounds to ensure that personal data is processed lawfully, fairly, and transparently.
According to the GDPR, the processing of personal data is only lawful when at least one of the six legal grounds for the lawfulness of personal data processing applies to companies who process personal data.
Consent
Mentioned in the Article 6 and Recital 40 of the GDPR, consent refers to authorization that a data subject gives for a personal data processing activity for one or all of the purposes disclosed explicitly and in full to them at the time when consent was requested.
Contractual obligations
The processing of personal data happens within the contractual scope when the data subject has entered into or whishes to enter into a contract for which personal data has been provided.
Legal obligation
Controllers have the permission to process personal data should they be subject to a legal duty or in cases where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authorities.
Vital interest
Applicable not only to data subjects but also to natural persons, the fourth ground for lawful processing applies in situations where the processing of personal data is vital to the life of person whose data has been processed.
Public interest
Decided by the Eurpean Union or a Member State law, personal data can be processed if it is in the public interest to do so, including for health purposes such as public health and social protection and the management of health care services, by private law, such as a professional association. (GDPR Recital 45).
Legitimate interest
Legitimate interest is a lawful ground for processing data if processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party. Relevant examples include but are not limited to situations where:
- “there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller”
- actions are taken to prevent fraud
When multiple bases are applicable, companies must be prepared to respond accordingly to data subject rights requests per each data type and its applicable legal ground. Failure to identify the appropriate legal basis can result in unlawful processing and noncompliance with the data subject rights.