Article 6 GDPR contains 6 legal bases – easy to remember! Which is good as they’re super important: if you can’t rely on one of them for your processing, it won’t be lawful and you’ll be in breach of GDPR.
And a breach that exposes you to the highest fine level of €20m euros or 4% of global turnover, whichever’s higher.
We’ll run through the 6 legal bases, along with 9 top tips, all in less time that it takes to drink a nice cup of tea. And stay with us for why the legal basis story doesn’t stop with Article 6 – there are 13 others that may, but don’t always – apply depending on the data you’re processing.
Here are the 6 lawful grounds in the order they appear in Article 6 of GDPR. You’ll hear them called lawful grounds, lawful bases, legal bases and sometimes legal grounds, even within GDPR and by regulators. It doesn’t really matter as long as you know what it it you’re talking about. We like legal basis.
Recitals 40 to 56 of GDPR give some context and examples for the legal bases, and there’s various guidance from UK and EU regulators, linked to below as usual.
Now for our first tip, which is true for both GDPRs.
The legal bases might be set out as (a) to (f) but, as the UK ICO notes:
‘No one basis should be seen as always better, safer or more important than the others, and there is no hierarchy in the order of the list…’
‘Identifying the appropriate legal basis that corresponds to the objective and essence of the processing is of essential importance.’
So don’t listen to someone saying you have to look at consent first, or anything similar. Each legal basis is as valid as the other, it’s a case of identifying the right one for your processing.
Our second tip is that you have to identify the legal basis up front, before your processing, not least because you have to tell data subjects about it in your Privacy notice.
And you need to be sure, because regulators confirm you can’t change legal basis afterwards.
Our third tip highlights a common trap: you’ll notice the 5 legal bases other than consent all include the word ‘necessary’.
Like a lot in GDPR, ‘necessary’ isn’t defined. But regulators are unanimous and very clear that this is a strict test. It means, apart from consent, your processing needs to be objectively necessary for that legal basis, not just useful or optional, and this is looked at strictly.
Regulators and case law confirm that you need to do a fact-based assessment of the processing to see if a realistic, less-intrusive option is available to achieve the same goal. If there is, then your proposed processing isn’t necessary and you should use the less-intrusive alternative.
We’ll see some examples as we go.
And here’s our fourth tip – let’s get them into the order that you’ll want to review them as a private sector organisation:
You’ll see why as we look at each.
For those in the public sector, don’t worry, there’s only one difference to this order, and we’ll explain this too:
The first legal basis you’ll look at is necessary for a legal obligation: if you have an obligation under applicable law and the processing is necessary to fulfil that, it’s the most cast-iron legal basis.
And here’s our fifth tip:
It needs to be a legal obligation under the law of the EU or an EEA Member State for EU GDPR, or under UK law for UK GDPR. The laws of a third country such as the USA don’t count here. And for completeness, complying with a contract doesn’t qualify, a contract isn’t a law.
The reason legal obligation is number 1 is you’ve no choice, and no-one can object. For example, employers are obliged under tax laws to pay employment taxes to the government. An employee can’t demand you withhold their tax information from the government. And as to erasure, good luck calling the taxman and asking them to delete your records.
This nicely illustrates our sixth tip:
As you can see, data subject rights like access and erasure can apply differently depending on the legal basis for the processing.
What if legal obligation isn’t available?
The next legal basis you’ll look at is contract, where the processing is necessary for the performance of a contract with a data subject, or to take pre-contractual steps at their request.
So, how do you work out if it’s necessary?
The EDPB clarifies that it’s ‘important to determine the exact rationale of the contract, … its substance and fundamental objective’ and then you test against that to see if your processing is necessary for its performance.
We love examples and the European regulators confirm the typical example of an individual buying items from an online retailer, wanting to pay by credit card, and to have the products delivered. It’s necessary for the contract for the retailer to process the credit card information and billing address as well as the address for delivery.
Note that this legal basis also covers processing before the contract in taking steps requested by the data subject. There are some other good examples in a 2014 Opinion from the EDPB’s predecessor as to what this can and cannot cover:
However, this won’t cover:
So, that’s legal obligation and contract – both nice and clear.
Legitimate interests, as a legal basis for processing under Article 6, generates a fair amount of confusion but you’ll see it’s really quite straightforward.
You can process personal data to the extent it’s necessary for your (or a third party’s) legitimate interests and those interests are not outweighed by the fundamental rights and freedoms of the data subject, particularly if that’s a child or other vulnerable individual.
The UK ICO calls legitimate interests ‘the most flexible lawful basis for processing’. It was underused before GDPR but with the issues around consent, it’s shot up the legal basis charts.
You can see there are 3 main components, which make up what’s called a Legitimate Interest Assessment or LIA:
GDPR’s Recitals 47 to 49 give us a few examples of purposes where legitimate interests is the applicable basis. The Recitals state that legitimate interests is good for processing:
And others that may qualify include:
Now, if you’re a public authority, you need to be aware that you can’t use legitimate interests in the performance of your tasks. This actually isn’t a problem, and it’s very logical.
Public authorities are given tasks in laws, so the law creating each of those tasks gives you the cast iron legal basis of public interest or official authority. It’s a much better legal basis than legitimate interests – less challenge, no balancing assessment.
And you can still rely on legitimate interests for processing outside of those tasks, which is viewed by regulators as relatively prescribed.
If you’re private sector, that’s 3 of the big 4. In practice, there’s only one left: consent.
Consent as a legal basis was massively over-used before GDPR. People used to say ‘you consent to XYZ’ and crack on, without making any real records of what was consented to.
After GDPR, however, with fines for choosing the wrong legal basis and not being able to prove compliance, consent is avoided like the plague. It’s become the last resort due to the requirements on collection and record-keeping.
You can see many of the obligations are built into GDPR’s definition of consent:
‘any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her’.
In summary, the obligations on consent include:
And the right to withdraw consent means it’s a tactical option, not always a strategic one.
And here’s a bonus tip on consent: the ‘freely given’ part means it’s very, very hard for public authorities or employers to reply on consent. Data subject will just not have the option to say no.
We’re ready for our seventh tip:
You need to name each controller in your Privacy notice, but not the processors. So you’ll name yourself and any other controller you’ll share it with.
This is why it’s so hard to buy lead data, as those leads will need to have been told your organisation will be contacting them.
There’s a lot of regulator guidance on consent, again links in the notes.
Now, the last 2 legal bases.
We can quickly deal with ‘necessary for vital interests’ as a legal basis.
It’s available to both public and private sector but Recital 46 says it applies when processing ‘is necessary to protect an interest which is essential for the life of the data subject or that of another natural person.’
So our eighth tip is:
It has to practically be a matter of life and death for you to use vital interests. Making it rarely used, but good to remember for emergencies.
Public sector! This one’s for you. This legal basis, often shortened to ‘public task’, will be your number 1, go-to, legal basis for your core processing as that processing will be ‘necessary for the performance of a task carried out in the public interest or in the exercise of official authority.’
Your whole reason for being will be set out in law, so this covers those activities.
As the UK ICO notes, this ‘will cover processing necessary for:
That’s not an exhaustive list, and some private sector entities may be able to rely on this legal basis too. The UK ICO gives the example of water companies, as they’re ‘carrying out functions of public administration and they exercise special legal powers to carry out utility services in the public interest’.
So public sector – don’t feel hard done by – you’ve this ‘public task’ legal basis as your go-to legal basis, meaning you’ve 5 in normal practice rather than the 4 for private sector.
OK, here’s our ninth tip about those other legal bases.
Those are for other blog posts!
So there you are, you now know about the 6 legal bases in Article 6 and how to choose between them – not nearly as hard as some make out.
Please do look at our Privacy Kitchen video on the Article 6 GDPR & the 6 Legal Bases and The 7 Principles of GDPR, and please do use #privacykitchen to tell us the topics and questions you want covered.
Capture your legal bases and drill down with instant reports in our Privacy Management Software. Easily view insights such as ‘where do we rely on consent?’ so you can reduce that as much as possible and only use it where it’s appropriate. Or ‘where do we rely on legitimate interests?’ so you can see where LIAs are appropriate.
Get your Keepabl demo!. We’d love to speak with you to show how SaaS automation can improve your compliance.
Art 29 WP Guidelines on Consent WP 259 rev.01 10 April 2018 (endorsed by the EDPB)
Art 29 Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC (WP 217) (not endorsed by the EDPB but referred to with approval in, for example, their Art 6(1)(b) Guidelines)
This article was first published in Thomson Reuters Regulatory Intelligence on 20 September 2023 and are the personal views of the author, Robert Baugh. Subscribers link. Free trial link. Biometrics have…