This article is a follow-up to our older blog about consent under the GDPR, where we briefly explained how consent works and what the limitations of consent are. We briefly mentioned that consent is not always necessary and that personal data can sometimes be lawfully processed without a data subject’s consent.
Today we will look closely at all the other legal bases for processing data under the GDPR. That’s enough material to write a book about, so we will keep it as short and straightforward as possible.
1. What is a legal basis?
In a nutshell: to process data lawfully, you need to rely on one of six legal bases listed by Article 6 GDPR. From a practical standpoint, consider these conditions as alternative requirements that must be satisfied when data needs to be processed.
2. What are the legal bases under the GDPR?
Art. 6(1) lists six legal bases:
- the performance of a contract
- compliance with a legal obligation
- the vital interest of the data subject or another natural person
- performance of a task in the public interest/exercise of a public authority
- the legitimate interest of the controller
These legal bases come with specific requirements, which can be considered a set of “pros and cons.” For example, consent needs to be freely given, specific, informed, and unambiguous”2. If these requirements cannot be met, another ground must be used. Sometimes two or more grounds are available, while at other times, no ground may be available at all, in which case the data cannot be processed.
It should be noted that there is no order of priority between legal grounds. For instance, a data controller is free to choose between consent (listed first) and legitimate interest (listed last), provided that the requirements for each ground can be met in that specific scenario.
3. What legal basis should I choose?
As we said, each ground comes with specific requirements. Sometimes only one will be available, so you have no choice. At other times you might have the luxury of choosing between two or more.
Each legal basis has pros and cons. For example, let’s assume you can choose between consent and legitimate interest. If you choose consent, then you need to collect in the first place. You also must ensure that the consent requirements (freely given, informed, specific, unambiguous) are satisfied. Finally, you should be aware that consent can be withdrawn and be prepared to deal with that possibility.
If you rely on legitimate interest instead, you don’t need to collect consent, and you don’t need to worry that consent might be withdrawn later. But you will need to balance your interest with the data subject’s rights, and the subject may object to the processing (more on this later).
So it comes down to a case-by-case assessment. For example, if the processing is very invasive, then your legitimate interest may be hard to balance, and consent may be a better choice. On the other hand, if you are very concerned about the withdrawal of consent, you may want to consider legitimate interest instead. There really is no one-size-fits-all solution, which makes it fun.
That being said, all grounds have specific requirements, and as a result, some are more readily available to certain controllers. Companies and other private entities typically rely on consent, contract, and legitimate interest. On the other hand, public entities usually rely on either legal obligation or public interest/authority