Article 6 of the GDPR: Explained

The Six Lawful Bases for Processing

1. Consent of Individual

When consent is leveraged as the lawful basis for data processing, it must be freely given, specific, informed, and unambiguous, indicating the data subject's wish to have their data collected and processed for a specific purpose and period.

Freely given consent refers to the absence of any factors that may influence the data subject’s decision to give consent. Consent cannot be considered to be freely given if there is a clear imbalance of power between the data subject and the controller such as the controller being a public authority or an employer and the data subject being an employee of that organization.

In such situations, a data subject’s consent can be a lawful basis only in exceptional circumstances where there are no adverse consequences for refusal of such consent. Similarly, if consent is required for the performance of a service or a contract, then it cannot be considered freely given. Therefore, consent is not an appropriate legal basis in such a situation.

Additionally, if a user cannot refuse to give consent or withdraw prior consent without any detriment or cost, then such consent cannot be considered freely given either.

It is important for the organizations processing the users’ data on this basis to ensure they properly document users’ consent.

They must also ensure that the language they use to gain consent from users is clear, simple, and unambiguous. Additionally, the data subjects must be informed about the identity of the data controller as well as the risks, safeguards, and rights in relation to the data processing to be carried out.

Since the GDPR follows an opt-in model, in the case of consent, organizations must gain the explicit consent of users before the processing of their personal data. Additionally, even after having provided consent, the user must have the option to withdraw from having their data collected or processed easily if they change their mind, and withdrawal must be as easy as giving consent for the data subject.

2. Performance of a contract

This is an appropriate legal basis where the performance of a contract and the service stipulated in that contract depend on data processing. In such cases, the provision of the service must be strictly and objectively necessary for the performance of the contract to which the data subject is a party to or in order to take steps at the request of the data subject prior to entering into a contract.

For example, when a customer buys a product or service, the data controller typically requires the customer’s contact information. In such a case, in order to fulfill its contractual obligation, i.e. to provide the service on the request of the data subject, the website has to process the customer’s personal data and therefore, the performance of a contract is considered to be an appropriate legal basis for such data processing activity.

This legal basis can be relied upon in the following two cases:

• There’s a contract between an organization and an individual and the organization needs to process the individual’s data in order to honor their obligations as part of the contract;
• A formal contract does not exist but the data subject intends to have a contract with the data controller and the data controller is taking steps at the request of the data subject prior to entering into a contract.

If a customer buys a product that may be recalled in the future or require modifications, such as a car, it is likely that the data collected and passed to the car manufacturer is being collected on the basis of a contractual obligation.

3. Legal Obligation

Like contractual obligations, an organization may proceed with data processing if there’s a legal obligation for it to do so.

A legal obligation, in this case, can mean common law or statutory principles in any country where the GDPR is enforced. This means that the obligation must be laid down by EU law or applicable member state law including common law obligations and in order to rely on this legal basis as a ground for data processing, it is essential that personal data is strictly required to be processed by the law.

A common example of this basis is banks. Banks may process their users’ personal data owing to their legal obligations as per both the law of the land as well as international banking regulations, tax laws and laws around money laundering.

Data controllers must be able to point out a legal obligation that they believe constitutes the legal obligation in question, either by reference to the specific legal provision or else by pointing to an appropriate source of advice or guidance that sets it out clearly. Also, the processing must be necessary for compliance with the legal obligation an organization has pointed out and the data processing must be a reasonable and proportionate way of achieving compliance.

It’s recommended that an organization maintain a detailed record of which legal provision it relies on to proceed with the processing of data.

4. Vital Interests

Data may be collected and processed to protect the vital interests of the data subject (or of another natural person). This is relevant where the data processing is required to save a person’s life or physical integrity.

Examples could be health data - for example, health authorities use this information to collect data on individuals who may need regular medication - so that if they present themselves to a medical organization it can be easily reviewed and the appropriate treatment given.

As the Recital 46 of the GDPR on the Vital Interests of the Data Subject states,

“​​…Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis…” This means that the protection of vital interests as a legal basis will not apply if the data controller is able to reasonably protect the person’s vital interests in another less intrusive way.

An organization may also proceed with this basis in emergency matters, such as emergency medical treatment where a person otherwise capable of giving consent is currently unable to do so.

5. Public Interest

An organization may rely on this legal basis if it must process personal information “for the performance of a task carried out in the public interest” or “in the exercise of an official authority”.

Although this legal basis primarily applies to official authorities or government entities, an organization can also be a private body such as a professional association if it exercises official authority or carries out a task in the public interest.

In order to rely on this legal basis, data controllers must be able to point out a benefit to the wider public or society as a whole as a result of the processing rather than to its own interests or the interests of the particular individual. For example, the administration of justice, parliamentary functions, statutory functions, governmental functions, or activities supporting or promoting democratic engagement.

6. Legitimate Interests

This is an appropriate legal basis where the data processing is necessary for the purposes of legitimate interests pursued by the data controller or by a third party. An EU court ruling may help organizations understand this particular legal basis better.

The ruling clarified that in order to rely on the legitimate interests of the data controller as a lawful basis for data processing, the following three tests must be met:

• Purpose test: Identify the Legitimate Interest: An organization needs to identify its legitimate interest properly. Fraud and crime prevention are such areas that can be considered legitimate interests of the data controller. Vague or generic business interests should not be relied upon.
• Necessity test: Data processing is necessary for the identified legitimate interests: The processing must be necessary for the purposes of legitimate interests pursued by the controller or by a third party. Necessary means the processing must be a targeted and proportionate way of achieving the purpose. For example, the processing of personal data strictly necessary for the purposes of preventing fraud constitutes a legitimate interest of the data controller.
• Balancing test: Individual’s Privacy Rights Above Legitimate Interest: This is perhaps the most critical factor to consider. If an organization has identified a legitimate interest and wishes to proceed with the processing of data based on it, this interest cannot outweigh the privacy rights of the users. Organizations are required to balance the legitimate interests against the interests or fundamental rights and freedoms of the data subject, including data subject rights to data protection and privacy. The legitimate interests identified must be sufficiently compelling to override the interests, rights, and freedoms of the data subject.

What Else To Know

The GDPR places seven data protection principles at the heart of any data processing activity. These are as follows:

• Lawfulness, fairness, and transparency
• Purpose limitation
• Data minimization
• Accuracy
• Storage limitation
• Integrity and confidentiality (security)
• Accountability

Regardless of what legal basis an organization relies on, it must comply with these key data protection principles.

These principles’ objectives are to ensure that users retain some degree of control over how their data is collected, used, stored, and disposed of. Similarly, it places responsibilities over organizations to ensure there’s a strict rationale behind any data processing activity.

Download our whitepaper on GDPR Legal Requirements for Collecting Personal Data to understand all 6 legal bases in detail and identify the most appropriate legal bases for your data processing situation.

How Securiti Can Help

Not only do organizations have to ensure all collected data is adequately protected, but they have to ensure that they have an appropriate legal basis to collect and process data in the first place.

Securing data is a lot easier said than done. The threats to data are constantly evolving. Add the sheer volume of data involved, and it begins to emerge just how daunting a task it can be for some organizations.

Securiti represents a viable solution for such organizations.

Securiti’s Data Mapping Solution enables organizations to conduct effective and automated data mapping that can help organizations identify the correct legal basis and ensure lawful data processing. With several other products that range from breach management and vendor risk assessment to data classification and universal consent management, Securiti is a pioneer in offering enterprise data governance and compliance solutions.

Request a demo today and learn more about how Securiti can aid your organization’s GDPR compliance efforts.