Explore UCD

UCD Home >

Six Legal Bases for Processing – GDPR Article 6

Six Legal Bases for Processing – GDPR Article 6

The legal basis are covered in GDPR Article 6. In data protection terms a ‘legal basis’ (also referred to as a lawful basis) means the legal justification for the processing of personal data. One or more valid legal basis is/are required in all cases personal data are to be lawfully processed in line with data protection law. There is no hierarchy or preferred option within this list, but instead all processing of personal data should be based on the legal basis which is most appropriate in the specific circumstances of that processing. Legal basis also influence what data subject rights apply.

Consent of the individual concerned. Consent of the individual (data subject) means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Contractual obligation between the organisation and the individual. The organisation can rely on this lawful basis if it needs to process someone’s personal data: to deliver a contractual service to them; or because they have asked the organisation to do something before entering into a contract (e.g. provide a quote).

Legal obligation of the organisation. The organisation can rely on this lawful basis, if it needs to process the personal data to comply with a common law or statutory obligation. This does not apply to contractual obligations between an organisation and individuals.

Vital interests of the individual. An organisation is likely to be able to rely on vital interests as a lawful basis, if it is to protect someone’s life. But it cannot rely on vital interests for health data or other special category data if the individual is capable of giving consent, even if they refuse their consent.

Public interest/public task. An organisation can rely on this lawful basis if it needs to process personal data: ‘in the exercise of official authority’. This covers public functions and powers that are set out in law; or to perform a specific task in the public interest that is set out in law.

Legitimate interest is the most flexible lawful basis for processing but will not always be the most appropriate.

There are three elements to the legitimate interest basis. It helps to think of this as a three-part test. The organisation needs to:

  • identify a legitimate interest. It needs to be more specific. Common examples are health & safety; to protect the property; fraud or crime prevention; network and information security; etc. Note: You must include details of your legitimate interests in your privacy information.
  • show that the processing is necessary and proportionate to achieve the purpose above
  • balance your/the organisation’s interest against the individual’s interests and rights and freedoms. The legitimate interests can be the organisation’s own interests or the interests of third parties. They can include commercial interests, individual interests, or broader societal benefits.

To evaluate the balance between the organisation’s/third party’s interest and the interest of the individual(s) affected, the organisation needs to undertake a Balancing test / LIA (Legitimate Interest Assessment). It must keep a record of this assessment to help you demonstrate compliance if required.

Public authorities can only rely on legitimate interests if they are processing for a legitimate reason other than performing their tasks as a public authority/body.