Legal Basis for Processing Non-Sensitive Personal Data
Under the GDPR, organisations need a valid legal basis to process personal data - handling it without one is not allowed.
To determine this legal basis, it’s important to first identify the categories of personal data your organisation processes, as the legal basis can differ depending on whether the data is classified as sensitive or non-sensitive.
This first and foremost requires that you understand what personal data is and which types of personal data your organisation processes.
The Six Legal Bases
The GDPR requires that all personal data processing be based on one of the six legal bases outlined in Article 6(1). This applies to both non-sensitive and sensitive data. Here, we explore the six bases to help you determine the most suitable one for your processing activities.
Consent (Article 6(1)(a))
You can process personal data if the individual has given their consent to do so.
Article 6(1)(a) states that personal data may be processed if: "the data subject has given consent to the processing of his or her personal data for one or more specific purposes”
For consent to be valid, it must meet the requirements set out in Article 7 of the GDPR, which are explained below:
Demonstrating Consent
You must be able to prove that an individual has given their consent for you to process their personal data. This is often done through written documentation but can also be shown using other methods. For instance, if a specific action in an IT system can only be carried out after consent is provided, this can serve as valid evidence.
Specificity
Consent must be specific, meaning it must be given for a specific processing activity and clearly distinguishable to other activities requiring consent. For instance, if you want to carry out two different processing activities, requesting a single consent for both is not valid. The individual must be able to say ‘yes’ or ‘no’ to each activity separately.
Withdrawing Consent
Individuals must always have the option to withdraw their consent, and it should be just as easy to withdraw as it was to give. Once consent is withdrawn, you must stop processing their data and delete it in accordance with your data retention policy.
Voluntariness
Consent must be freely given.
Consent obtained under any form of coercion is clearly invalid. For example, consent is unlikely to be valid if there’s already a contract between two parties or in any other way a significant imbalance of power between them. In such cases, other legal bases may apply, such as the performance of a contract.
Practical Implementation
If you intend to use consent as your legal basis for processing, you must obtain the consent before starting the processing of personal data. At the moment you request consent, you are also obligated to comply with the GDPR's requirements to clearly and transparently inform the individual about the processing (See Articles 12 and 13 of the GDPR). Furthermore, you must ensure compliance with the beforementioned requirements, such as being able to demonstrate that you have obtained valid consent.
Examples
Newsletter
You’ve probably signed up for a newsletter before, providing personal data like your email address during the process. In these cases, the legal basis for processing is usually your consent, which is explicitly obtained when you subscribe. For example, you can see how we ensure compliance by subscribing to our newsletter, where we clearly request your consent before sending it.
HR
In employment relationships, consent is rarely used as a legal basis because the power imbalance between employer and employee makes it challenging to guarantee that consent is truly voluntary. Instead, employers should generally rely on alternative legal bases for processing personal data, such as the terms of the employment contract or the employer’s legitimate interest.
Contract (Article 6(1)(b))
You may process personal data if it is necessary for the performance of a contract.
Article 6(1)(b) states: "Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract."
It may also be necessary to process personal data before a contract is officially finalised. In such cases, this legal basis can still apply, provided the processing is directly linked to the contract. Often, there’s a period of discussion and information-gathering before a contract is concluded, and any data processing during this phase must remain relevant to the contract.
Examples
Below are some examples of how a contract can serve as a legal basis for processing personal data.
HR
An employment contract can serve as the legal basis for processing personal data when it’s necessary to fulfil the contract. For example, an employer needs to process an employee’s salary and banking details to pay wages as agreed in the employment contract.
Webshop
A webshop processes customer data, such as names, delivery addresses, and payment details, to fulfil orders and deliver goods or services as outlined in its terms.
Fitness Centre Membership
A fitness centre processes members’ personal information as part of the membership agreement. This includes registering memberships, managing payments, and providing access to facilities and events included in the membership.
Service Agreement with an Electrician
An electrician processes customer details, like names and addresses, as part of a service agreement to schedule and carry out maintenance work on electrical installations.
Legal Obligation (Article 6(1)(c))
You may be required to process personal data to comply with a legal obligation, which is a valid legal basis under GDPR Article 6(1)(c):
“Processing is necessary for compliance with a legal obligation to which the controller is subject”
A "legal obligation" can serve as the basis for processing personal data when it is necessary to comply with laws or regulatory requirements. The processing must align with the specific purpose defined by the legal obligation.
Examples
Below are examples where a legal obligation can serve as the basis for processing personal data.
Accounting and Bookkeeping
A company is required to retain invoices and other accounting records for a specified period under accounting laws. This involves processing personal data such as names, addresses, and VAT numbers of customers or suppliers.
Tax and Contributions Reporting
An employer is obligated to report employees' salary and tax information to tax authorities. This includes processing data such as personal identification numbers, salary details, and tax deductions.
Compliance with Workplace Safety Regulations
An employer is required to record and report workplace accidents to the relevant occupational safety authorities. This requires processing personal data about the employees involved, as well as details of the incident, to fulfill legal requirements.
Vital Interests (Article 6(1)(d))
You may process personal data if it is necessary to protect a person’s vital interests and there are no other lawful means to safeguard this interest. As stated in Article 6(1)(d) of the GDPR:
“processing is necessary in order to protect the vital interests of the data subject or of another natural person;”
This legal basis is typically used in emergency situations where obtaining consent is not feasible, and the processing is essential to protect life or health.
Due to its specific nature, this legal basis is rarely used for processing personal data.
Examples
Medical Emergency
A fitness center may process information about a member experiencing a medical emergency during training, such as sharing relevant details with emergency services to provide first aid.
Evacuation
A company may process data about employees or visitors to ensure everyone is safely evacuated during a fire or other emergency. This may include sharing information with rescue services to protect the lives and health of those involved.
Public Authority (Article 6(1)(e))
You may process personal data if it is necessary to perform a task in the public interest or as part of the exercise of official authority vested in you. As stated in Article 6(1)(e) of the GDPR:
"Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller"
This legal basis applies when processing is defined by legislation, and the controller acts under granted public powers.
If a private company is tasked with carrying out a public service on behalf of an authority, it may process personal data as part of that assignment. The processing is lawful because it is necessary for the public task, and the data must only be used to the extent required to complete the task.
Examples
Below are two examples of public authorities using the legal basis of 'public authority, along with an example of a private company that can rely on this basis.
Processing Applications for Social Benefits
A municipality processes information about citizens applying for social benefits, such as welfare or child allowances. This processing is necessary to assess the citizen's eligibility for the benefits and is carried out as part of the municipality's exercise of public authority.
Regulatory Oversight
A public authority processes information about businesses (including sole proprietorships) as part of its responsibility to ensure compliance with environmental regulations.
Parking Inspection
A private company handling parking enforcement on behalf of a municipality processes data about drivers who park illegally. This involves recording vehicle details, such as license plates, and issuing fines to vehicle owners. The processing is necessary to carry out the municipality’s responsibility of ensuring lawful parking, a task delegated to the company by the municipality.
Legitimate Interests (Article 6(1)(f))
You can process personal data if it is necessary to pursue a legitimate interest, provided this interest does not override the rights and freedoms of the data subject. As outlined in GDPR Article 6(1)(f):
"processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child."
Legitimate interests offer a flexible legal basis, but their use requires a careful balancing test to ensure that the processing is reasonable and justified in relation to the data subject. This involves considering the data subject’s reasonable expectations about how their data will be used. This balancing test, known as a Legitimate Interest Assessment (LIA), should be thoroughly documented.
As part of your transparency obligations, you must also inform the data subject about this assessment, typically by including the details in your privacy policy.
Public authorities cannot generally rely on legitimate interests as a legal basis when processing personal data as part of their legal obligations as a public authority.
Examples
Information Security
An organization uses an IT security solution to log data for detecting and managing security threats. This processing is considered a legitimate interest as it aims to protect the organization's IT systems and data.
Fraud Prevention
A webshop analyzes customer purchasing patterns to detect and prevent fraud, such as credit card fraud attempts. This processing is necessary to protect the business from financial losses and to protect customers from fraudulent activities.
Employer-Employee Relations
An employer processes information about employees' performance to evaluate productivity. This is a legitimate interest as long as the processing is necessary for the organization's operations and proportionate to the purpose.
Conclusion
You must always have a legal basis for processing personal data under GDPR Article 6(1).
In this article on article 6 we have outlined the six legal bases and provided practical examples of how they can be applied in real-world scenarios.
.jpg)
.jpeg)
.jpg)
.jpg)
.jpg)
-1.png)
.jpeg)
.jpg)
