Legal basis under the GDPR

Processing of personal data is lawful if at least one of the six conditions of Art. 6(1) GDPR apply. However, even if the processing rests on these conditions, it is still limited by the other provisions of the GDPR and subjected to the obligations set thereof. For example, all principles of Art.5 GDPR must always be followed.

The GDPR lists the following conditions:

  1. data subject’s consent to processing for specific purposes

or processing is necessary for:

  1. performance of a contract (to which the data subject is a party) or in order to take pre-contractual steps at the data subject’s request
  2. compliance with a legal obligation under EU or MS law
  3. protection of the data subject’s/another individual’s vital interests (only life-or-death cases)
  4. performance of tasks executed in the public interest/in the exercise of controller’s official authority
  5. the purposes of the legitimate interests pursued by the controller or a third party

Legitimate interest

One can rely on legitimate interest only if individuals’ interests or their fundamental freedoms do not override the controller’s interests (especially if children’s data is concerned). In order to process children’s data, their parents must give permission.

Further, there must be: (1) a legitimate interest, (2) which is necessary for the processing and (3) a balancing test, determining if the controller’s legitimate interest overrides the data subject’s protection. Data subjects may nevertheless exercise their right to object to the processing of their data.

Recitals 47-50 GDPR list these examples of legitimate interests: transmission of personal data within the group of undertakings for internal administrative purposes (general principles for data transfers still apply), direct marketing, fraud prevention, as well as network and information security.

Choosing the appropriate legal basis will depend on the processing itself, its purposes and the data categories. All the legal grounds are hierarchically equivalent. It is also allowed to use various legal basis for different processing activities; however, it must be remembered that each one carries different legal responsibilities, such as these related to the data subject’s rights.

If the purpose of the processing changes and data collection was based on either: (1) data subject’s consent, (2) EU law or (3) MS law, the controller may only continue to process it, if the new purpose is compatible with the initial one. In order to do so, the controller must take into account the following factors:

  1. any link between the purposes
  2. the context in which the personal data has been collected (primarily the relationship between data subjects and the controller)
  3. the nature of the personal data
  4. the possible consequences of the intended further processing for data subjects
  5. the existence of appropriate safeguards (i.e., encryption or pseudonymization)