1. Legal bases for data processing
Welcome back! Let's learn about the six legal bases of GDPR to determine how to choose one for various data processing scenarios.
2. The six GDPR legal bases
To process personal data, you need at least one of the six legal bases stated in Article 6 of GDPR. They are: 1. Consent 2. Legitimate interest 3. Legal obligation 4. Contractual obligation 5. Vital interests 6. Public task
3. Consent
Consent is the most known and visible legal basis of GDPR. Consent is only valid if the data subject is well-informed and can freely provide unambiguous consent with clear and affirmative action, like checking a box. Freely given consent means the data subject is not under undue pressure or influence of the data controller.
Consent is valid only if you offer real choice and control to data subjects over how you use their data and should be designed to build their trust and engagement.
A major misconception around informed consent is that many believe it is the only way to collect and process personal data under GDPR. Let's remember there are six!! Let's see the next one.
4. Legitimate interest
Legitimate interest is another essential legal basis for companies to process personal data. It is a very flexible legal basis. You can apply it to any processing situation if there is a reasonable, lawful and necessary purpose.
The crucial requirement for data controllers using this basis is to weigh the interests of the controllers against those of the data subjects.
A few example processing situations that use legitimate interest are direct marketing emails and advertisements, charitable fundraising campaigns, and whistle-blowing schemes.
5. Legal obligation
Next is legal obligation.
You can use the legal obligation basis if you need to process personal data to fulfill a legal requirement imposed by relevant EU or national laws.
If you are a company, you may have to provide the personal data of your employees, including their income, to the relevant authorities so that they can provide social security coverage and applicable employee welfare benefits.
6. Contractual obligation
Now we have contractual obligation.
You can use this legal basis to fulfill a contractual agreement between your company and your clients. Also, to collect information required to draw such a contract.
For example, if you are an online retailer, you must process your client information to enter your buyer-seller contract and fulfill it.
7. Vital interests
Now on to vital interests.
This legal basis protects someone's vital interests, especially during life-threatening situations.
The most common example is when a hospital needs to provide emergency healthcare for an unplanned medical event like a serious accident, they can process patient history without the individual's consent since they may be unable to give it.
8. Public task
And finally, public task.
This legal basis applies to tasks carried out in the public interest or by a public body to exercise its authority per the law.
Examples include scientific research projects conducted by universities, activities by organizations that promote or support democracy, as well as the government functions laid by the law carried out by public bodies.
9. Let's practice!
So far, we have learned about the various GDPR principles, including the legal bases required for personal data processing. In the following videos, we'll explore examples that show the real impact of these principles for organizations in terms of enforcement, data transfers, and data subject rights.
Now let's test your knowledge on legal bases!