The Six Legal Bases for Lawful Processing in Article 6 of the GDPR
Article 6 of the GDPR
Summary of the 6 lawful bases
The Six Legal Bases for Lawful Processing in Article 6 of the GDPR
It is important for businesses to know about the six legal bases for lawful processing. Article 6 of the GDPR states the six legal bases. GDPR is an abbreviation for the General Data Protection Regulation, which is an EU regulation. Another commonly used wording instead of Legal basis is Lawful basis.
The Six Legal Bases for Lawful Processing are Important to Know About
A company that processes personal data must support each processing on one of the legal bases. If a processing of personal data takes place without the support of a legal basis, the processing is unlawful. That constitutes a violation and breach of the GDPR, which can result in penalties. In addition, companies must comply with the other articles of the GDPR. Including, processing all personal data in accordance with the seven data protection principles.
Summary of The Six Legal Bases in the GDPR for Lawful Processing
Below you can read a summary of the sig legal bases stated in article 6 of the GDPR. All processing of personal data must be based on one legal basis in order to be lawful.
Consent pursuant to Article 6(1)(a) of the GDPR
Consent is a relatively common legal basis for companies to support the processing of personal data. However, it is not always appropriate or permitted to use this legal basis for personal data processing.
Therefore, it is good for companies to start by analyzing whether any other legal basis is more appropriate to us. Such as, contract with the data subject or legitimate interest. Consent means that an individual agrees that their personal data will be processed for several purposes or a specific purpose.
Please note that an individual must be able to revoke the consent. The data subject must be able to revoke the consent as easily as it was to provide it. If the data subject revokes the consent, the company shall cease the processing of personal data based on the consent. In case it is too difficult to withdraw the consent, the consent is not valid.
● Passive consents are prohibited
For a consent to be valid in accordance with the GDPR, it must be actively provided. Also, the consent must be provided freely. For example, a company may not have a pre-ticked consent box on their website. That is not considered to be an actively consent provided by the data subject.
● If there is an unequal power relationship between the controller and the data subject
If there is an unequal power relationship between the controller and the data subject, the controller may not process personal data on the basis of consent. This applies in the majority of cases where these is an unequal power relationship between the controller and the data subject.
This applies when the data subject is the weaker party in power relationship to the controller, who wishes to carry out the processing of the personal data. For example, between an employer and an employee, or between an authority and a citizen.
The reason for this is that it is difficult to prove and ensure that the consent has been freely provided. In these situations where there is an unequal relationship of power, the data subject may not dare to refuse the processing of the personal data. Therefore, consent is not an appropriate legal basis to use in cases of unequal power relations. Instead, the legal basis consent with data subjects or legitimate interest may be more appropriate to use.
Contracts with data subjects pursuant to Article 6(1)(b) of the GDPR
It is common for companies to use “Contract” as one of the six legal bases for lawful processing.
Lets say that a company has entered into a contract with an individual. The company has the right to process their personal data that is necessary for the performance of the contract. For example, the provider of an application may process the user’s specified name and email address. This processing must be carried out in order to create a user account. Also in order to deliver the service to the user in accordance with the terms of use. In this case, the legal basis for the processing may be a contract with the data subject.
In some cases, it may also be possible to process personal data on this legal basis before the parties enter into a contract with each other. According to the GDPR, a company may carry out processing of personal data of the data subject before the conclusion of the contract. This applies if it is necessary to take action at the request of the data subject. For example, a creditor may do a credit check before lending money to a customer.
A requirement for using this legal basis is that the data subject is a party to the contract entered into with the controller.
● Examples of contracts with data subjects
A company that operates an e-commerce platform needs to process the customer’s personal data to carry out the delivery. Such as name and delivery address. In other words, the processing takes place in order for the company to fulfill its obligations under the contract concluded between the company and the customer.
Another example is when an employer processes the employee’s name and bank account details to pay the salary. Part of the employer’s obligations under the employment contract is to pay wages for the work performed to the employee.
Please note that a company may not process more personal data than what is necessary for the purpose of the collection. For example, if the company wants to process the same and/or more personal data in order to also analyze customer behavior, it is a separate process of personal data. In such cases, the company must have a legal basis for this processing as well. “Contract” as the legal basis for the analysis will not appropriate in that case. This is because this processing is not necessary for the performance or conclusion of a contract with the data subject. Instead, “consent” may in such cases be an appropriate legal basis to use.
Legal obligation pursuant to Article 6(1)(c) of the GDPR
In some cases, there may be other laws or regulations that require a company to process personal data. If it is necessary for the company to process personal data in order to comply with a legal obligation to which the company is subject, the processing is based on a legal obligation as the legal basis. “Legal obligation” is one of the six legal bases for lawful processing pursuant to the GDPR.
Examples of legal obligations for companies:
● Keeping records of their business transactions.
● Report taxes and social security contributions to the tax authorities.
● Handle complaints and withdrawal cases in accordance with applicable mandatory consumer protection laws.
● Report privacy incidents and personal data breaches of various kinds to the relevant authorities.
This means that the company may process the personal data necessary to meet the requirements of law or regulation. Therefore, it is important for companies to know which specific laws apply to the company’s operations. There may be industry-specific laws and regulations to take into account. This is, in addition to the more general legislation that applies to the majority of companies.
Protecting vital interests pursuant to Article 6(1)(d) of the GDPR
Where processing is necessary in order to protect the vital interests of the data subject or of another natural person, it is lawful. “Vital interests” is one of the six legal bases for lawful processing according to the GDPR.
Recital 46 of the GDPR describe when a processing based on this legal basis may be lawful. For example, if the controller needs to process personal data to protect the vital interests of the data subject (or of another natural person). In such cases, the processing of special categories of personal data (also known as sensitive personal data) is also permitted. Examples of sensitive personal data are data concerning the data subject’s health and religious beliefs.
In cases where processing of personal data is necessary to save lives, it is thus permitted. However, it is important to note that it is also clear that the processing of personal data based on the vital interests of another natural person should only take place if the processing cannot clearly be carried out based on another legal basis.
● Necessary to save lives
An example of when it may be necessary to process personal data in order to save lives is if a person gets into a serious car accident and is unconscious when arriving at the hospital. In such cases, the hospital may need to find out, for example, what blood group the person has, which is personal data. This is according to the GDPR considered as sensitive personal data, since it relates to health data.
Please note, a controller may not use this legal basis if the data subject is aware. If a person goes to a doctor for an appointment, the legal basis consent or a task of public interest is more appropriate to use.
The exercise of official authority and tasks in the public interest pursuant to Article 6(1)(e) of the GDPR
Processing of personal data is lawful if it is necessary to:
- perform a task carried out in the public interest; or
- in the exercise of official authority vested in the controller.
It is primarily the authorities, municipalities and the state that process personal data on the basis of this legal basis. However, it is also applicable to the processing of personal data carried out by certain private actors. For example, companies who carry out school activities or companies in the health care sector.
● Exercise of authority
The state may entrust a company with the task of controlling the citizens of the country. This may involve deciding on certain rights or obligations. When teachers at a municipal school give grades to their students, it is an example of the exercise of public authority. The same applies when an authority issues building permits.
● Tasks of public interest
Both private actors and state authorities can carry out tasks that are in the public interest. For example, the task of operating public transport, air traffic, health care or private school activities.
A company holding data of public interest may use this legal basis. Or a company processing personal data for archiving purposes. This is subject to a legal obligation to retain the data, for example in order to provide access to data of lasting value for the public interest.
If a company is not sure whether it actually performs a task in the public interest, it should consider another legal basis.
Legitimate interest pursuant to Article 6(1)(f) of the GDPR
If a company or a third party has a legitimate interest. Then personal data that is necessary to achieve the purpose and the legitimate interest in question may be processed. However, this only applies provided that the fundamental freedoms and rights and interests of the data subject do not override and require the protection of personal data. “Legitimate interest” is one of the six legal bases for lawful processing found in the GDPR.
Please note that authorities cannot use this legal basis when processing personal data.
Furthermore, data subjects may object to the processing of personal data that takes place after a legitimate interest assessment. But this does not automatically mean that the company must cease the processing. However, in such cases, the company must carry out a new analysis. Also, the company must be able to demonstrate that their needs and interests still outweigh those of the data subject.
● Carry out a Legitimate Interest Assessment and document the assessment
In order for a company to be able to determine whether it has a legitimate interest or not, the company needs to carry out a Legitimate Interest Assessment (LIA). It is important that the controller documents the analysis carried out in writing.
If the company tries to prevent fraud, or in the case of direct marketing by email to previous customers, the company may have a legitimate interest to conduct the processing of personal data.
However, if the company in its Legitimate Interest Assessment concludes that the data subject’s fundamental freedoms and rights and interests override and require the protection of personal data, the company may not process the personal data for the intended purpose in question on this legal basis.
Something that is important to keep in mind is that the company must conduct a legitimate interest assessment before the processing starts.
More information about the legal and lawful bases of the GDPR
Consent as the legal basis for personal data processing
Consent is one of the six legal bases for lawful processing of personal data. There are may requirements to fulfill in order for the consent to be considered valid. Also, it is important to remember that a company should in some cases not use consent as the legal basis. Consent is therefore more complicated than many think. Thus it is important to know about when consent is suitable to us, and when it should be avoided.