GDPR Learning Hub

login/sign up
Menu
{{ search }}
login/sign up
  • Buy GDPR-courses
  • Learn about the GDPR
  • Download free checklists
  • Take free quizzes
  • Buy GDPR Templates

Legal Obligation as the Legal Basis for Processing Personal Data

Article 6(1)(c) of the GDPR

theme_placeholder

Information about legal obligation as legal basis

Legal obligation as the legal basis for processing personal data pursuant to the GDPR

Legal obligation as the legal basis for processing personal data is commonly used by companies. Article 6(1)(c) of the GDPR states this legal basis. A company has the right to process personal data if it is necessary to comply with applicable law. In other words, the company, which is the controller, needs to carry out the processing in order to comply with a legal obligation incumbent on the company. This applies not only to national laws, but also to other EU regulations. 

Examples of legal obligation as the legal basis for processing personal data

Companies often need to process personal data in order to comply with other laws. Legal obligation as the legal basis for processing personal data is common to use. The following is a summary of some examples of legal obligations that some companies have:

 

●  Taxes and social security contributions

Companies need to report certain data to the tax authorities in their country. Such as information on employees’ payroll data, as well as pay taxes and social security contributions. These processes may involve the processing of personal data.

 

●  Invoices

In many countries, companies have to save invoices as accounting documents for a number of years. In Sweden, for example, the Accounting Act applies, which means that companies must save invoices for 7 years. 

 

●  Banks

In most countries, banks are required to keep a record of their customers in accordance with applicable law. 

Informing data subjects about the processing of their personal data

Companies must inform data subjects about the processing of their personal data. Among other things, the provided information must state the legal basis on which the processing is based. Also, the purpose of the processing, the rights of data subjects and when the company deletes the personal data. The data subject shall understand the purpose of the processing. Therefore the company shall inform which law or regulation the processing is based on. 

 

If a company processes personal data for a certain purpose, and then no longer needs the personal data for that purpose, but still has to save the personal data due to legal requirements, the continued storage is permitted. However, the company should in such cases store the personal data in a separate location. For example, by archiving the documentation and protecting access through passwords to the archive folder.

More information about the legal and lawful bases of the GDPR

Protection of vital interests is another legal basis under the GDPR

The legal basis for the protection of vital interests means that it is permissible for a company to process personal data about a person, if it is necessary to save his or her life. Article 6(1)(d) of the GDPR states this legal basis. It is mainly companies within the field of healthcare who use this legal basis for personal data processing. Keep in mind that it is not allowed to base the processing on this legal basis if the data subject is capable of, for example, giving consent. 

Want to learn more?

Read more

Solverwp- WordPress Theme and Plugin

Scroll to Top