The Six Lawful Bases for Processing:

To collect or use personal data legally, you cannot just "want" to do it. You must rely on one of six specific legal justifications (Article 6). If you cannot fit your processing into one of these boxes, you cannot collect the data.

You must identify and document one of these bases before you start processing data.

• Consent: The individual has given you clear, specific permission to process their data for a specific purpose.
• Contract: You need to process the data to fulfil a contract with the individual (e.g., you need their address to deliver goods they bought).
• Legal Obligation: You are required by law to process the data (e.g., keeping salary records for tax purposes).
• Vital Interests: It is a life-or-death situation (e.g., giving emergency medical data to a hospital to save someone's life).
• Legitimate Interests: You have a genuine business reason (like fraud prevention or network security), and this reason is not overridden by the individual's rights or freedoms.
• Public Interest: You are performing a task in the public interest or acting under official authority (usually applies to government bodies, not private companies).

 

1. Strict Rules for "Consent"

If you choose "Consent" as your legal basis, the bar is set very high. You must be able to prove you obtained it validly.

• Freely Given: The user must have a real choice. You cannot force them to consent or punish them if they say no.
• Informed: They must know exactly who you are and what you are doing with their data.
• Specific: You cannot ask for "blanket consent." You must ask for permission for each specific purpose.
• Clear Affirmative Action: The user must do something to consent (like ticking a box). You must also keep a record of this consent being given. Pre-ticked boxes are banned.
• Easy Withdrawal: You must tell them they can withdraw consent at any time, and if they do, you must stop processing immediately.

 

2. Contractual Necessity

When to use it: Use this when you have a contract with an individual (or are about to enter one) and you literally cannot do your job without their data.

The Rule: The processing must be necessary for the performance of a contract to which the individual is a party.

Practical Example: If you sell a product online, you need the customer's address to deliver it. You don't need their consent for the address. You need it to fulfil the contract of sale.

Constraint: You cannot use this for things that are "nice to have" but not essential to the contract (e.g., using that same address for marketing newsletters usually requires a different basis, like Consent).

 

3. Legal Obligation

When to use it: Use this when you have no choice because the law says you must process the data.

The Rule: The processing is necessary for compliance with a legal obligation.

Practical Example: You are required by tax laws to keep records of employee salaries for a certain number of years. Even if an employee asks you to delete their data, you can refuse because you have a legal obligation to keep it.

Constraint: This must be a statutory obligation (EU or National law), not just a contractual obligation to a third party or your own company policy.

 

4. Vital Interests

When to use it: This is the "Emergency Only" basis. It applies to life-or-death situations.

The Rule: The processing is necessary to protect the vital interests of the data subject or another person.

Practical Example: If a visitor to your office collapses and is unconscious, you might disclose their medical allergies (if known) to the paramedics. You don't need to wake them up to get consent because their life (vital interest) is at risk.

Constraint: You generally cannot use this for large-scale data processing or health data unless it is truly a medical emergency.

 

5. Legitimate Interests

When to use it: This is the most flexible basis, often used for business activities like fraud prevention, network security, or direct marketing. However, it requires a careful "Balancing Test".

The Rule: Processing is necessary for your legitimate interests (or those of a third party), UNLESS those interests are overridden by the individual's fundamental rights and freedoms.

The "Balancing Test": You must weigh your benefit against the user's privacy:

Your side: "We need to process IP addresses to stop hackers attacking our website." (This is a strong legitimate interest).

Their side: "Does this hurt the user's privacy?" (Likely minimal impact).

Result: You can probably proceed.

Constraint: If the processing would be unexpected, cause harm, or if the individual is a child, their rights likely override your interests. You must document this assessment.

 

6. Public Interest / Official Authority

When to use it: This is primarily for public authorities (like schools, hospitals, police, or councils) performing their official duties.

The Rule: The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in you.

Practical Example: A local council collecting data to organise bin collection or a tax authority collecting income data.

Constraint: Private companies rarely use this unless they are contracted to carry out specific public tasks (e.g., a private utility company maintaining the water supply).

 

<Return Home>