Lawfulness of Data Processing
An overview of the six legal bases under the GDPR: when personal data may be processed without consent and how the legitimate interests balancing test works.
Every processing of personal data requires a legal basis. Article 6 GDPR provides an exhaustive list of six grounds on which controllers may rely. Processing without a valid legal basis is unlawful and may attract fines under Article 83 GDPR.
The Six Legal Bases
The first legal basis is the data subject's consent under Article 6(1)(a). This requires that consent be freely given, specific, informed, and unambiguous. The remaining legal bases permit processing without consent.
Under Article 6(1)(b), processing is lawful if it is necessary for the performance of a contract to which the data subject is party, or for taking steps at the request of the data subject prior to entering into a contract. The necessity criterion is critical: only data that is genuinely required for the specific contractual purpose may be processed.
Article 6(1)(c) permits processing that is necessary for compliance with a legal obligation to which the controller is subject. This covers, for example, statutory retention periods under tax law or mandatory reporting obligations. The controller may rely on this ground only where the obligation is laid down in Union or Member State law.
Processing necessary to protect the vital interests of a person (Article 6(1)(d)) is confined to emergency situations — for example, where a person requires urgent medical care and their consent cannot be obtained. This ground has limited practical application.
Article 6(1)(e) permits processing carried out in the exercise of official authority or in the public interest. This ground is primarily relevant for public authorities and bodies.
Legitimate Interest in Practice
The most significant legal basis for private-sector organisations is the legitimate interests ground under Article 6(1)(f). Processing is lawful where it is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights of the data subject. Recital 47 cites direct marketing and intra-group transfers as examples. The legitimate interests assessment comprises three steps: identifying the legitimate interest, assessing whether the processing is necessary to achieve it, and balancing the controller's interests against the data subject's rights and interests. The outcome of this assessment should be documented.