Lawful Basis – It’s Not All About Consent

Consent Illustration

    Need world class privacy tools?

    Schedule a Call >

    The first principle of the General Data Protection Regulation (GDPR) requires that all personal data is processed lawfully, fairly and in a transparent manner. Processing is only lawful if you have a lawful basis under Article 6. If no lawful basis applies to processing, the processing will be unlawful and in breach of the first principle. Individuals have the right to request the erasure of personal data which has been processed unlawfully.

    You must determine your lawful basis before you begin processing and you should document it. The individual’s right to be informed under Article 13 and 14 requires organisations to provide people with information about your lawful basis for processing.  This means these details need to be included in your privacy/fair processing notice.

    There are six available lawful bases for processing ‘ordinary’ personal data. No single basis is better or more important than the others, the most appropriate basis to use will depend on the purpose of processing. Consent is one lawful basis for processing, but it is not always the most appropriate basis. One of the disadvantages of consent is that it can be withdrawn, and another is that it has to pass the GDPR validity test.

    To see how PrivacyEngine™ Privacy Management Platform can help you with all your GDPR requirements, you can schedule a one-to-one free demo now using the link below

    Schedule Demo Now!

    Businesses and organizations around the world collect and process data to improve their services, personalize customer experiences, and target marketing campaigns. However, processing data comes with legal responsibilities, and businesses must have a lawful basis for doing so. In this article, we will explore the legal requirements for processing data and the different purposes for doing so.

    Understanding the Legal Requirements for Processing Data

    With the rise of technology and the increasing amount of data being generated, it is crucial for businesses to understand the legal requirements for processing data. The General Data Protection Regulation (GDPR), which came into effect in May 2018, is a comprehensive data protection law that outlines the legal basis for processing personal data.

    Under the GDPR, businesses must have a lawful basis for processing data to comply with data protection laws. The GDPR defines six lawful bases for processing data, and businesses must choose the most appropriate one for their processing activities.

    The first lawful basis is consent. This means that the individual has given clear and explicit consent for their data to be processed for a specific purpose. The consent must be freely given, informed, and unambiguous.

    The second lawful basis is contractual obligation. This applies when the processing of data is necessary for the performance of a contract between the business and the individual.

    The third lawful basis is legal obligation. This applies when the processing of data is necessary for the business to comply with a legal obligation, such as a court order or a regulatory requirement.

    The fourth lawful basis is vital interests. This applies when the processing of data is necessary to protect the vital interests of the individual or another person.

    The fifth lawful basis is public interest. This applies when the processing of data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.

    The sixth and final lawful basis is legitimate interests. This applies when the processing of data is necessary for the legitimate interests of the business, as long as those interests do not override the fundamental rights and freedoms of the individual.

    Each of these lawful bases comes with its own set of criteria and requirements, and businesses must ensure that the basis they choose aligns with their processing activities. For example, if a business wants to process data for marketing purposes, they would need to obtain clear and explicit consent from the individual.

    It is important for businesses to understand the legal requirements for processing data to avoid potential fines and reputational damage. The GDPR has strict rules around data protection, and businesses that fail to comply can face fines of up to €20 million or 4% of their global annual revenue, whichever is higher.

    Overall, businesses must take a proactive approach to data protection and ensure that they are processing data lawfully and ethically. By understanding the legal requirements for processing data, businesses can protect the privacy and rights of individuals while also achieving their business objectives.

    How Many Lawful Bases Are There for Processing?

    The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). The GDPR stipulates six lawful bases for processing data, which are as follows:

    1. Consent: The individual has given clear consent for their personal data to be processed for a specific purpose.
    2. Contract: The processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
    3. Legal obligation: The processing is necessary for you to comply with the law (not including contractual obligations).
    4. Vital interests: The processing is necessary to protect someone’s life.
    5. Public task: The processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
    6. Legitimate interests: The processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

    It is important to note that not all of these lawful bases are appropriate for every scenario. For example, if a business is processing data for a contractual obligation, they cannot switch to processing data for a legitimate interest after the contract has been fulfilled. Therefore, businesses must carefully consider the lawful basis they choose before beginning any processing activities.

    Consent is one of the most commonly used lawful bases for processing personal data. It is important to obtain clear and unambiguous consent from individuals before processing their personal data. This means that the individual must be fully informed about the processing activities and must actively opt-in to the processing.

    Another lawful basis for processing personal data is contractual obligation. This basis is often used when processing personal data is necessary to fulfill a contract with an individual. For example, if an individual purchases a product from an online store, the store may need to process the individual’s personal data in order to fulfill the order and deliver the product.

    Legal obligation is another lawful basis for processing personal data. This basis is often used when processing personal data is necessary to comply with a legal obligation. For example, if a business is required by law to keep certain records, they may need to process personal data in order to maintain those records.

    Vital interests is a lawful basis for processing personal data that is used when processing is necessary to protect someone’s life. This basis is often used in emergency situations, such as when a hospital needs to process personal data in order to provide life-saving treatment.

    Public task is a lawful basis for processing personal data that is used when processing is necessary for a task in the public interest or for official functions. This basis is often used by government agencies and other public bodies.

    Finally, legitimate interests is a lawful basis for processing personal data that is used when processing is necessary for the legitimate interests of the data controller or a third party. This basis is often used for marketing purposes, but it is important to ensure that the legitimate interests of the data controller or third party do not override the rights of the individual.

    In conclusion, businesses must carefully consider the lawful basis they choose before beginning any processing activities. The GDPR provides six lawful bases for processing personal data, but not all of them are appropriate for every scenario. It is important to choose the right lawful basis in order to ensure that personal data is processed lawfully, fairly and transparently.

    Exploring the Different Purposes for Processing Data

    Processing data has become an integral part of many businesses, and it serves various purposes. One of the most common reasons why businesses process data is to provide a service to their customers. For example, if you are a bank, you may need to process customer data to provide banking services, such as opening accounts, processing transactions, and providing loans. In this case, the lawful basis for processing the data may be contractual obligation, as it is necessary to fulfil the terms of the contract between the bank and the customer.

    Another reason why businesses process data is to comply with legal requirements. For instance, if you are an insurance company, you may need to process customer data to comply with regulations and laws governing the insurance industry. In this case, the lawful basis for processing the data may be legal obligation, as it is necessary to comply with the law.

    Marketing is another purpose for processing data. Businesses may use customer data to create targeted marketing campaigns, such as sending promotional emails or displaying ads on social media platforms. In this case, the lawful basis for processing the data may be legitimate interest, as it is in the interest of the business to promote its products or services.

    Research is yet another purpose for processing data. Businesses may use customer data to conduct market research, analyze trends, and identify customer preferences. In this case, the lawful basis for processing the data may be legitimate interest or consent, depending on the nature of the research.

    Improving service quality is also a common reason why businesses process data. By analyzing customer data, businesses can identify areas where they need to improve their services, such as customer support or product quality. In this case, the lawful basis for processing the data may be legitimate interest or consent, as it is in the interest of the business to improve its services.

    Regardless of the purpose for processing data, businesses must ensure they have a valid lawful basis for doing so. This means that they must have a clear and specific reason for processing the data, and they must ensure that the processing is necessary and proportionate to achieve that purpose. Additionally, businesses must ensure that they comply with relevant data protection laws and regulations, such as the GDPR in the European Union and the CCPA in California.

    Must Determine Your Lawful Basis Before You Begin Processing Data?

    Yes, determining your lawful basis for processing data is a crucial step that businesses must take before beginning any processing activities. The General Data Protection Regulation (GDPR) has made it mandatory for businesses to be able to demonstrate that they have a valid lawful basis for processing data. This means that businesses must have a clear and legitimate reason for collecting and processing personal data.

    There are six lawful bases for processing data under the GDPR, including consent, contract, legal obligation, vital interests, public interest, and legitimate interests. It is important for businesses to carefully consider which lawful basis applies to their specific situation and ensure that they adhere to all relevant regulations and guidelines.

    For example, if a business is processing data based on consent, they must ensure that the consent is freely given, specific, informed, and unambiguous. They must also provide individuals with the right to withdraw their consent at any time and ensure that the withdrawal process is simple and straightforward.

    It is also important for businesses to regularly review their lawful basis for processing data. This means that they must ensure that their processing activities continue to align with their chosen lawful basis. For example, if a business initially relied on consent as their lawful basis, they must ensure that consent has not been withdrawn or expired. If the lawful basis is no longer valid, the business must either stop processing the data or identify a new lawful basis that applies.

    Furthermore, businesses must be able to demonstrate their compliance with GDPR regulations and guidelines. This means that they must keep detailed records of their processing activities and be able to provide evidence of their lawful basis for processing data if requested.

    In summary, determining your lawful basis for processing data is an essential step that businesses must take to comply with GDPR regulations. It is important to carefully consider which lawful basis applies to your specific situation, regularly review your processing activities, and keep detailed records of your compliance.

    In today’s digital age, data protection has become an increasingly important issue. With the vast amount of personal information being shared online, it is crucial that businesses and organizations handle this data with care and respect. The General Data Protection Regulation (GDPR) was introduced in 2018 to strengthen data protection laws across the European Union, and the use of consent as a lawful basis for processing data is a key part of this regulation.The EDPB’s guidelines on consent provide important clarification on the requirements for valid consent. One of the key points is that consent must be freely given. This means that individuals must have a genuine choice about whether or not to provide their consent, and there must be no negative consequences for choosing not to give consent. For example, a website cannot refuse to allow a user to access its content unless they agree to their data being processed.Another important aspect of valid consent is that it must be specific to the purpose of the processing activity. This means that businesses cannot obtain blanket consent for all data processing activities, but must instead obtain separate consents for each specific purpose. For example, a business cannot obtain consent for marketing emails and then use that consent to send unrelated promotional material.The guidelines also emphasize the importance of making it easy for individuals to withdraw their consent. Businesses must provide clear and simple methods for individuals to withdraw their consent, and must stop processing data promptly if consent is withdrawn. This ensures that individuals have control over their personal data and can revoke their consent at any time.In conclusion, the EDPB’s guidelines on consent provide important clarification on the use of consent as a lawful basis for processing data. By following these guidelines, businesses and organizations can ensure that they are handling personal data in a responsible and ethical manner, and that individuals have control over their own data.

    Why Legal Basis is Important

    Having a valid lawful basis for processing data is critical for complying with data protection laws and building trust with customers. By ensuring they have a valid lawful basis and following the appropriate requirements, businesses can minimize legal risks and protect their reputation.

    Furthermore, having a valid lawful basis for processing data also improves data quality and accuracy. By ensuring that data is processed for a specific purpose and with the appropriate safeguards in place, businesses can improve the value of the data and the insights it provides.

    Conclusion

    Processing data comes with legal responsibilities, and businesses must have a valid lawful basis for doing so. By understanding the legal requirements for processing data, businesses can choose the most appropriate lawful basis for their activities, improve data quality, and comply with data protection laws. Regularly reviewing and updating the lawful basis for processing data is also critical for protecting a business’s reputation and avoiding legal penalties.


    When asking for consent, a controller has the duty to assess whether it will meet all the requirements to obtain valid consent. Valid consent is a freely given, specific, informed and unambiguous indication of the data subject’s wishes by a clear affirmative action. When considering consent you should consider the following:

    Conditional consent: If you make consent a precondition of a service, it is unlikely to be an appropriate lawful basis. If the data subject has no real choice, feels compelled to consent or will endure negative consequences if they do not consent, then consent will not be valid.

    Imbalance of power: Public authorities, employers and other organisations in a position of power over individuals should avoid relying on consent unless they are confident that they can demonstrate it is freely given. It is unlikely that an employee would be able to respond freely to a request for consent from their employer to, for example, activate monitoring systems such as camera observation in a workplace, or to fill out assessment forms, without feeling any pressure to consent.

    Bundled consents: Recital 43 clarifies that consent is presumed not to be freely given if the process/procedure for obtaining consent does not allow data subjects to give separate consent for personal data processing operations. For example, a retailer asks its customers for combined consent to use their data to send them marketing by email and also to share their details with other companies within their group. This consent is not granular as there are no separate consents for the two separate purposes, therefore the consent will not be valid.

    What are the lawful bases for processing Personal Data?

    The lawful bases for processing personal data are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:

    (a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
    AdvantagesGives the Data Subject choices and control over the processing of their data
    DisadvantagesConsent, in the form of a positive opt in, will need to be documented and retained so that you can demonstrate it was obtained. Consent must be ‘freely given, specific, informed and unambiguous’ Specific: Consent cannot be blanket consent, different consents for different purposes must be obtained. Unambiguous: There must always be a clear distinction between the information needed for the informed consent and information about other matters. Freely Given: Consent should be voluntary and involve a real choice. Invalid consent could lead to regulatory fines. Data Subjects have stronger rights to have their data deleted where consent is the only legal basis for processing their personal data. Consent can be withdrawn at any time and the GDPR requires that the data subject is informed of this and that it is easy to withdraw consent. European data protection authorities have made it clear “that if a controller chooses to rely on consent for any part of the processing, they must be prepared to respect that choice and stop that part of the processing if an individual withdraws consent.” Strictly interpreted, this means the controller is not allowed to switch from the legal basis consent to legitimate interest once the data subject withdraws his consent. This applies even if a valid legitimate interest existed initially. Therefore, consent should always be chosen as a last option for processing personal data.
    Example of when consent may be an appropriate lawful basis: A school asks students for consent to use their photographs in a printed student magazine. Consent in these situations would be a genuine choice as long as students will not be denied education or services and could refuse the use of these photographs without any detriment.

    (b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
    AdvantagesAs long as processing the personal data is necessary for the purposes of the contract, a contract with the data subject gives a legal basis for processing personal data without the requirement for recording separate consent. This is appropriate for processing employee data as an employment contract is required. A contract does not necessarily have to be in writing
    DisadvantagesIf the contract is with a minor, consider whether they have the necessary competence to enter into a contract. If you there are doubts about their competence, consider an alternative basis such as legitimate interests. Note that ‘child’ in the Irish Data Protection Act means under 18. If the processing is not necessary for the contract, another lawful basis such as legitimate interests or consent would need to be considered.
    Example of when contract may be an appropriate lawful basis: In the employment context when a person applies for a vacant position in your organisation, they can be deemed to have requested you to take steps before entering into a contract. When they become an employee, you will have a contractual basis to process their personal data in the course of their employment.

    (c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations). (For example, you have a legal obligation to share employee data with the Revenue for tax purposes).
    AdvantagesProcessing personal data to comply with a legal or statutory obligation set out in Irish or EU law is a strong lawful basis under GDPR
    DisadvantagesThe legal obligation must be on you, the data controller and you must be able to identify the specific legislation you are required to comply with. This does not apply to contractual obligations.
    Example of when legal obligation may be an appropriate lawful basis: A financial institution relies on the legal obligation imposed by the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 to process personal data in order submit a Suspicious Activity Report to the regulatory authorities when it knows or suspects that a person is engaged in, or attempting, money laundering.

    (d) Vital interests: the processing is necessary to protect someone’s life. (When you need to process personal data for medical purposes, but the individual is incapable of giving consent to the processing).
    AdvantagesProcessing personal data without consent is permitted in instances where it is in the vital interest of the data subject such as where there has been an accident or emergency and the data subject cannot give consent but requires treatment or transfer to a hospital to preserve life.
    DisadvantagesYou cannot rely on vital interests for health data or other special category data if the individual is capable of giving consent, even if they refuse their consent.
    Example of when vital interests may be an appropriate lawful basis: An individual is admitted to the A & E department of a hospital with life-threatening injuries following a serious road accident. The disclosure to the hospital of the individual’s medical history is necessary in order to protect his/her vital interests.

    (e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law. (For example, a public body’s tasks, functions, duties or powers).
    AdvantagesYou can rely on this lawful basis if you need to process personal data: ‘in the exercise of official authority’. This covers public functions and powers that are set out in law; or to perform a specific task in the public interest that is set out in law. Any organisation who is exercising official authority or carrying out a specific task in the public interest. The focus is on the nature of the function, not the nature of the organisation.
    DisadvantagesThis legal basis can only be used when an organisation is exercising official authority or carrying out a specific task in the public interest. For accountability purposes, you should be able to specify the relevant task, function or power, and identify its basis in common law or statute. You should also ensure that you can demonstrate there is no other reasonable and less intrusive means to achieve your purpose.

    (f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.
    AdvantagesLegitimate interest is the most flexible lawful basis for processing. It is appropriate where the personal data is being processed in ways which data subjects would reasonably expect and there is a compelling reason for processing. Legitimate interests can include commercial interests, individual interests or broader societal benefits.            Avoids having to collect and retain consent and bombarding people with unnecessary consent requests, can help avoid ‘consent fatigue’. If a controller wishes to process the personal data for a new purpose, they may be able to continue processing under legitimate interests as long as the new purpose is compatible with the original purpose.    A controller may be able to lawfully disclose data on the basis of legitimate interests. These might be the controller’s own interests, the interests of the third party receiving the data, or a combination of the two.       Data Subjects can object to processing on the grounds of legitimate interests, although that is not an absolute right and the controller can continue to process where they can demonstrate a compelling reason, or the processing is in relation to a legal claim.
    DisadvantagesAlthough legitimate interest is a flexible concept, it does not apply to everything and should not be used as a default basis for processing. By choosing legitimate interests there is an extra responsibility for considering and protecting people’s rights and interests. This includes carrying out a legitimate interest balance test or assessment to ensure that the data subject’s rights and interests are not outweighed by the data controller’s rights. There is scope for disagreement over the balance test and you need to be able to clearly justify your decision. Article 6(1)(f) specifically highlights children’s personal data as requiring particular protection.
    Example of when legitimate interests may be an appropriate lawful basis: An insurance company wants to process personal data to spot fraudulent claims on the basis of legitimate interests. It is in the company’s legitimate business interests to ensure that its customers do not defraud it out of money. However at the same time the company’s other customers and the public in general also have a legitimate interest in ensuring that fraud is prevented and detected.

    If your organisation is processing special category data, you will need to identify both a lawful basis for processing from Article 6 and a special category condition for processing in compliance with Article 9. We will look at the Article 9 bases in a future article.

    Further Reading:
    European Data Protection Board Guidelines on Consent under Regulation 2016/679

    Share this

    Try PrivacyEngine
    For Free

    Learn the platform in less than an hour
    Become a power user in less than a day

    PrivacyEngine Onboarding Screen