Lawful Basis for Processing Personal Data under GDPR

The General Data Protection Regulation (GDPR) becomes law on May 25 2018. Once this happens, any business or organisation that processes the personal data of individuals who live within the European Union will have to comply with the legislation. This applies whether the business or organisation is based within the EU or not.

As covered by GDPR Article 6, one of these legislation is that there has to be a lawful basis for the processing of personal data. There are six lawful bases which can be used in order for a business or organisation to legitimately process the personal data of an individual.

  1. That consent has been provided by a data subject for their personal data to be used for a specific purpose. This consent can only be applied to that purpose. If a business or organisation needs to process data for a different reason, they are required to request explicit consent to do so.
  2. Personal data has to be processed at the request of the data subject before a contract is signed, or the data is necessary for the performance of the contract.
  3. Personal data processing is required in order for the data controller to comply with legal obligations.
  4. The processing of personal data is completed with the aim of protecting the vital interests of an individual.
  5. Personal data is processed in accordance with the official authority of a data controller or in relation to actions taken in the public interest.
  6. Personal data is processed for the legitimate interests of the data controller or a third party except when the rights and freedoms of an individual override these interests. This type of override is especially important to consider in cases where the individual is a child.

The GDPR stipulates that at least one of these lawful reasons must be in place, before data can be processed. It is also important to note that Article 29 Working Party guidance states that more than one base should not be used for a single processing activity. Once the basis has been identified it must be communicated to the data subject, as per GDPR Article 13.

Keeping a Record of the Lawful Basis

It is not sufficient for a business or organisation to have a legal basis for processing personal data; they need to keep a record of the basis and of which purpose it applies to. If there is no record of this information, the business or organisation can be found to be non-compliant. This could lead to them being fined a considerable amount of money; the maximum fine for non-compliance is €20m or 4% of annual turnover, whichever is higher.

These legal bases for processing personal data are detailed in the GDPR in order to ensure businesses and organisations only process personal data for legitimate reasons. This helps to protect the rights and freedoms of any individual who lives in an EU country.