Skip to content

The expert's Asnwer to What are the 6 legal basis of GDPR?

Group 193 (1)-1

What are the 6 legal basis of GDPR?


What is GDPR?

The General Data Protection Regulation (GDPR) is a set of regulations implemented by the European Union in 2018 to strengthen the protection of personal data of individuals within the EU. It aims to provide individuals with more control over their data and to harmonize data protection laws across EU member states. The GDPR applies to organizations that process personal data of EU residents, regardless of where the organization is located. It sets out various legal bases on which organizations can lawfully process personal data. These legal bases provide a framework for organizations to ensure that their processing activities are in compliance with the GDPR and that individuals' fundamental rights and freedoms are protected. There are six legal bases for data processing under the GDPR, including the necessity of processing for the performance of a contract, compliance with a legal obligation, protection of vital interests, consent, performance of a task carried out in the public interest or in the exercise of official authority, and legitimate interests pursued by the data controller or a third party. This article will delve into these legal bases in more detail.

6 legal bases for GDPR

Under the General Data Protection Regulation (GDPR), there are six legal bases for processing personal data. These legal bases provide organizations with the necessary justification for collecting and using personal data.

  1. Consent: The most common legal basis is obtaining explicit consent from the data subject. This requires individuals to provide clear and freely given consent for their data to be processed, and they have the right to withdraw their consent at any time.
  2. Contractual Obligation: Processing personal data can be justified if it is necessary for the performance of a contract with the data subject or to take steps at their request before entering into a contract.
  3. Legal Obligation: When processing personal data is required to comply with a legal obligation imposed on the data controller, it becomes a valid legal basis.
  4. Vital Interests: In cases where processing personal data is necessary to protect someone's life, it can be justified on the grounds of vital interests.
  5. Public Task: Public authorities or organizations performing public tasks have the legal basis to process personal data when it is necessary for the performance of their official duties.
  6. Legitimate Interests: Processing personal data may be justified if it is necessary for the legitimate interests pursued by the data controller or a third party, except where these interests are overridden by the fundamental rights and freedoms of the data subject.

These legal bases provide organizations with a foundation to process personal data while ensuring compliance with the GDPR's requirements regarding the lawfulness of processing.

Legal obligation

Legal obligation is one of the six legal bases of the General Data Protection Regulation (GDPR) that allows the processing of personal data. This basis comes into play when a data controller is required to process personal data in order to comply with a legal obligation imposed on them. It provides a lawful ground for organizations to collect and process personal data when it is necessary to fulfill their legal obligations. Examples of legal obligations that may require the processing of personal data include preventing money laundering or terrorist financing, tax collection, and compliance with regulatory requirements. It is important for organizations to identify and justify their legal obligations when processing personal data to ensure compliance with GDPR and protect individuals' rights to data privacy.

What is a legal obligation?

A legal obligation refers to the requirement of a controller, as outlined in the General Data Protection Regulation (GDPR), to process personal data in order to comply with the law. Under GDPR, controllers must have a lawful basis for processing personal data, and a legal obligation is one of the six valid bases recognized by the regulation.

A legal obligation arises when the processing of personal data is necessary for the controller to fulfill a legal requirement imposed by EU or national law. This means that the controller must process personal data to comply with a legal obligation or to exercise its legal rights. For example, tax authorities may require businesses to process personal data for tax compliance purposes, or healthcare providers may need to process medical records to meet legal obligations related to patient care.

It is important for controllers to clearly identify and document the legal obligations that justify the processing of personal data. This information must be stated in the privacy notice provided to data subjects, which outlines the legal grounds for processing their data.

How does it relate to GDPR?

The legal basis of contractual obligation is one of the six lawful bases for processing personal data under the General Data Protection Regulation (GDPR). It relates to GDPR by allowing organizations to process personal data when it is necessary for the performance of a contract or pre-contractual measures.

In the context of GDPR, contractual obligation refers to situations where processing personal data is required to fulfill the terms of a contract or to take steps at the request of the data subject prior to entering into a contract. This legal basis recognizes the importance of honoring agreements and allows organizations to process personal data to carry out their contractual obligations.

For example, when an individual enters into a contract with a service provider, such as a telecommunications company or an online retailer, their personal data may need to be processed in order to fulfill the contract. This could involve processing the individual's name, address, payment information, or other necessary details.

Another example would be a recruitment process, where personal data would need to be processed to evaluate a candidate's suitability for a job and to proceed with the hiring process.

In both cases, the legal basis of contractual obligation enables organizations to process personal data in a manner that is compliant with GDPR, ensuring that individuals' rights and privacy are protected while allowing for the necessary processing for the performance of a contract.

Examples of legal obligations under GDPR

Under the GDPR, organizations must have a valid lawful basis for processing personal data. One of these bases is the legal obligation, which applies when processing is necessary to comply with a legal obligation to which the organization is subject.

For example, a tax authority has a legal obligation to collect and process personal data for tax purposes. This includes collecting individuals' income, deductions, and other relevant information. To explain the use of this legal basis in the Privacy Policy, the organization can state that they process personal data as required by law to fulfill their tax obligations under the applicable tax legislation. They should also specify the specific legal provisions that impose this obligation.

Another example is in the healthcare sector. Healthcare providers may have a legal obligation to process patients' personal data to provide necessary health services and maintain medical records. The Privacy Policy should highlight that personal data processing is carried out to comply with legal obligations imposed by healthcare laws and regulations.

When using the legal obligation lawful basis, organizations must ensure that the processing is necessary and specific to the legal obligation. It is important to clearly identify and explain the relevant legal provisions in the Privacy Policy, thereby establishing transparency and demonstrating compliance with data protection principles.

Official authority

Official authority is one of the six legal bases outlined in the General Data Protection Regulation (GDPR) that organizations can rely on to process personal data lawfully. This legal basis applies when processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller. It grants certain public authorities and organizations the authority to process personal data for specific purposes that are necessary to fulfill their official duties and responsibilities. This legal basis ensures that public bodies can lawfully process personal data to carry out their functions, such as collecting and reporting data for statistical or research purposes, enforcing regulations, or exercising governmental powers. However, it is crucial for organizations to clearly define and justify their use of official authority as the legal basis for processing personal data in their privacy policies and ensure they adhere to the principles of data protection and individuals' rights as provided by the GDPR.

What is an official authority?

An official authority, in the context of the General Data Protection Regulation (GDPR), refers to a public entity or organization that is granted the power and responsibility to process personal data for specific purposes. This legal basis allows official authorities to collect and use personal data to fulfill their official duties and exercise their powers as outlined by law.

Official authorities play a crucial role in the GDPR as they are granted certain privileges and exemptions from certain provisions of the regulation. These privileges are necessary to ensure that official authorities can effectively carry out their tasks without being hindered by strict data protection requirements.

Examples of official authorities under the GDPR include law enforcement agencies, tax authorities, national security agencies, and regulatory bodies. These entities require personal data processing to carry out their legal obligations, such as investigating and preventing crime, ensuring compliance with tax laws, or protecting national security interests.

It is important to note that while official authorities enjoy certain privileges, they still need to ensure that they process personal data in compliance with the fundamental rights of individuals and adhere to the principles of data protection, such as transparency and accountability.

How does it relate to GDPR?

The legal basis of contractual obligation plays a significant role in the General Data Protection Regulation (GDPR) as it establishes a lawful basis for processing personal data in certain situations. In simple terms, a contractual obligation refers to the legal obligation between parties that arises from the mutual agreement of a contract.

Under the GDPR, the contractual obligation legal basis allows organizations to process personal data when it is necessary for the performance of a contract with an individual. This means that if an individual enters into a contract with a company or organization, the processing of their personal data becomes necessary to fulfill the terms of that contract.

For example, a telecommunications company may process a customer's personal data, such as their contact information and billing details, in order to provide the contracted phone or internet services. Similarly, an e-commerce platform may process personal data, including shipping addresses and payment information, to fulfill orders placed by customers.

It is important to note that the contractual obligation legal basis only applies when there is an existing contract or when steps are being taken at the request of the individual to enter into a contract. Organizations must ensure that they only process the necessary personal data required for the contract and that they do not use it for other purposes without obtaining additional legal bases or obtaining explicit consent from the individual. The GDPR emphasizes the importance of establishing a fair and transparent relationship between individuals and organizations in the context of contractual obligations.

Examples of official authorities under GDPR

Official authorities refer to government bodies or public institutions that have the legal power or responsibility to carry out specific tasks or exercises authority in a particular area. Under the GDPR, there are several examples of official authorities that have a legal basis for processing personal data.

One example is a tax authority, which is authorized to process personal data for the purpose of tax assessment and collection. This includes collecting and analyzing financial information, such as income and expenses, to determine tax liabilities. Another example is a health care service provider, who can process personal data in order to provide medical treatment or manage patient records.

Official authorities also include public health institutions, which have the legal authority to process personal data for the purposes of disease control, monitoring public health risks, or conducting medical research. For instance, during a public health crisis, such as the COVID-19 pandemic, public health authorities may collect and analyze personal data, including health status and contact tracing information, to track and prevent the spread of the disease.

These official authorities play a crucial role in ensuring compliance with GDPR while fulfilling their public duties. It is important that these authorities handle personal data in a responsible and lawful manner, safeguarding the fundamental rights of individuals while carrying out their official tasks.

Public task

Public task is one of the six legal bases under the General Data Protection Regulation (GDPR) that allows organizations to process personal data. This legal basis applies when the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority. In other words, public authorities or bodies that have a legitimate interest in performing specific tasks for the benefit of society can lawfully process personal data. This may include activities related to maintaining public safety, providing healthcare services, conducting research, or ensuring democratic engagement. Public tasks have a clear legal basis and are subject to appropriate safeguards and oversight to protect individuals' fundamental rights and freedoms. Organisations relying on the public task legal basis must be transparent about their processing activities and ensure that the data is used solely for the intended public task and not for any other purposes.

What is a public task?

A public task refers to a specific activity or responsibility carried out by a public authority or body that is in the public interest. Under the General Data Protection Regulation (GDPR), public tasks play a crucial role in determining the lawful basis for the processing of personal data.

Public tasks are activities that are inherent to public authorities and are necessary for them to perform their official functions. These tasks can include tasks related to the exercise of official authority, the provision of public services, or the implementation of public policies.

Examples of public tasks under the GDPR include law enforcement activities carried out by the police, processing activities by tax authorities for the collection of taxes, or healthcare services provided by public hospitals. These activities are considered to be in the public interest and are necessary for the proper functioning of the state.

When processing personal data for public tasks, public authorities must be able to demonstrate that their actions are necessary and proportionate to fulfill their public responsibilities. They must also ensure that appropriate safeguards are in place to protect the rights and freedoms of individuals affected by the processing.

How does it relate to GDPR?

The legal basis of contractual obligation is an important aspect of the General Data Protection Regulation (GDPR) that allows for the lawful processing of personal data. Under the GDPR, contractual obligation refers to situations where the processing of personal data is necessary for the performance of a contract to which the data subject is a party, or for the implementation of pre-contractual measures taken at the data subject's request.

This legal basis recognizes that in order to fulfill contractual obligations, organizations may need to process personal data. For example, when an individual enters into a contract with a company for the purchase of goods or services, the company may need to collect and process personal data such as the individual's name, address, and payment information in order to fulfill the contract.

Similarly, if an individual requests a quote or seeks information about a product or service, the organization may need to collect and process personal data to respond to the inquiry and establish a potential contractual relationship.

It is important to note that when relying on the legal basis of contractual obligation, organizations must ensure that the processing of personal data is necessary for the performance of the contract and is not used for other purposes without obtaining additional and separate legal grounds for such processing.

Examples of public tasks under GDPR

Under the General Data Protection Regulation (GDPR), there are several examples of public tasks that can serve as a legal basis for processing personal data. These public tasks are activities carried out by public authorities in the public interest. Here are a few examples:

  1. Public Health: Processing personal data for public health purposes, such as disease surveillance, monitoring and control of epidemics, or ensuring high standards of healthcare, can be considered a public task under GDPR.
  2. Social Protection: Collecting and processing personal data for social protection purposes, such as administering social benefits, pensions, or unemployment benefits, constitutes a public task.
  3. Management of Healthcare Services: Public authorities responsible for managing healthcare services, such as hospitals or healthcare providers, can rely on the public task legal basis when processing personal data related to patient care and treatment.
  4. Achievement of Aims of Recognized Religious Associations: If a recognized religious association engages in data processing activities to achieve its aims, such as providing spiritual counseling or managing religious events, it may rely on the public task legal basis.
  5. Electoral Activities: Public authorities responsible for organizing and conducting elections and referendums can process personal data under the public task legal basis to ensure the democratic engagement of citizens.

It is important to note that when relying on the public task legal basis, appropriate safeguards must be in place to protect individuals' fundamental rights and ensure the lawfulness of processing under GDPR.

Contractual obligation

Contractual obligation is one of the six legal bases for processing personal data under the General Data Protection Regulation (GDPR). When there is a contract in place between a data controller and a data subject or when there is a request for an initial step towards a contract, the contractual obligation legal basis can be relied upon.

To satisfy the contractual obligation legal basis, the processing of personal data must be necessary for the performance of the contract. This means that the data processing must be directly related to fulfilling the obligations and responsibilities outlined in the contract. For example, if a company enters into a contract with a customer to provide a product or service, the processing of the customer's personal data, such as their name and address, may be necessary to fulfill the contractual obligations.

It's important to note that if the processing of personal data involves sensitive data, such as health information or religious beliefs, a separate lawful basis must also be identified. This is because the processing of sensitive data requires a heightened level of protection under the GDPR.

General thought leadership and news

Essential frameworks for operational technology risk management

Essential frameworks for operational technology risk management

Operational technology (OT) risks have become an increasing concern to organizations due to the crucial role OT plays in supporting industrial...

Mitigating cybersecurity risks: A guide to vendor risk management

Mitigating cybersecurity risks: A guide to vendor risk management

In today's digital landscape, cybersecurity risks have become a prevalent concern for organizations of all sizes. With businesses relying on multiple...

CMMC 2.0 is here: Key changes and what it means for your business

CMMC 2.0 is here: Key changes and what it means for your business

Last October 15, 2024, the final rule for the latest iteration of the Cybersecurity Maturity Model Certification (CMMC) was published by the US...

Configuring your 6clicks dashboard: Transform insights with Power BI

Configuring your 6clicks dashboard: Transform insights with Power BI

Governance, risk, and compliance (GRC) thrive on data. With today’s businesses running on digital ecosystems, visualization and interaction with data...

Explore the power of the 6clicks dashboard: A widget showcase

Explore the power of the 6clicks dashboard: A widget showcase

Dashboards are more than just data displays—they’re hubs for insight, action, and collaboration. We have recently released our configurable...

Introducing personalized dashboards for a smarter GRC experience

Introducing personalized dashboards for a smarter GRC experience

Hello everyone! We’re excited to announce a powerful new feature: configurable dashboards designed to enhance how you manage your GRC data on the...