GDPR 101: legal bases

Image of Carlo Cilento

Published on Nov 21, 2022 and edited on Dec 13, 2023 by Carlo Cilento

This article is a follow-up to our older blog about consent under the GDPR, where we briefly explained how consent works and what the limitations of consent are. We briefly mentioned that consent is not always necessary, and that personal data can sometimes be lawfully processed without a data subject's consent.

Today we will look closely at all the other legal bases for processing data under the GDPR. That's enough material to write a book about, so we will keep it as short and straightforward as possible.

  1. What is a legal basis?
  2. What are the legal bases under the GDPR?
  3. What legal basis should I choose?
  4. The legal bases
    1. Contract
    2. Legitimate interest
    3. Legal obligation
    4. Vital interest
    5. Public interest or exercise of a public authority
  5. Final Thoughts
Logo of MichelinMichelin chose Simple AnalyticsJoin them

Let's dive in!

In a nutshell: to process data lawfully, you need to rely on one of six legal bases listed by Article 6 GDPR. From a practical standpoint, this means that you are only allowed to process data when you meet one of these legal bases. So, you can consider these legal bases as alternative requirements that must be satisfied.

Art. 6(1) lists six legal bases:

  • consent
  • the performance of a contract
  • compliance with a legal obligation
  • the vital interest of the data subject or another natural person
  • performance of a task in the public interest/exercise of a public authority
  • the legitimate interest of the controller

These legal bases come with specific requirements, which can be considered a set of "pros and cons." For instance, consent is only valid when freely given, specific, informed, unambiguous, and revocable (see Articles 4(11) and 7(4)). If these requirements cannot be met, another ground must be used. Sometimes two or more grounds are available, while at other times, no ground may be available at all, in which case the data cannot be processed.

There is no order of priority between legal grounds. For instance, a data controller is free to choose between consent (listed first) and legitimate interest (listed last), provided that the requirements for each ground are met.

As we said, each ground comes with specific requirements. Sometimes only one will be available, while at other times you might have the luxury of choosing between two or more.

Each legal basis has pros and cons. For example, let's assume you can choose between consent and legitimate interest. If you choose consent, then you need to collect consents the first place. You also must ensure that consents are valid (= freely given, specific, informed, unambiguous), and be prepared to deal with the possibility that consents might later be withdrawn.

If you rely on legitimate interest instead, you don't need to collect consent, and you don't need to worry that consent might be withdrawn later. But you will need to balance your interest with the data subject's rights, and the person the data refer to may object to the processing (more on this later).

So, choosing a legal basis is the result of a case-by-case assessment. For example, if the processing is very invasive, then your legitimate interest may be hard to balance, and consent may be a better choice. On the other hand, if you are very concerned about the withdrawal of consents, you may want to consider legitimate interest instead. There really is no one-size-fits-all solution.

That being said, all grounds have specific requirements, and as a result, some are more readily available to certain entities and organizations. Companies and other private entities typically rely on consent, contract, and legitimate interest. On the other hand, public entities usually rely on either legal obligation or public interest/authority.

GDPR legal bases

We already discussed consent, so let's look at the other legal bases. There is much to say and we can only scratch the surface here.

Contract

Under Art. 6(1)(b) GDPR, you can process data when the processing is "necessary for the performance of a contract" with the data subject or to enter a contract at their request. For example, if you are shipping goods to a customer, you need a delivery address and contact information to ensure the shipping goes well. You can process this data based on the performance of your contract with the customer.

Contract is a convenient and hassle-free legal basis. But it is pretty restrictive as to what data can be processed because the notion of necessity must be interpreted strictly and in reference to the actual object of the contract.

In other words, you cannot provide for the processing of unnecessary data in a contract as a convenient excuse to rely on this legal ground. DPAs won't let you cheat the system like that. That being said, there can be some gray areas in practice.

Consent and contract are sometimes easy to confuse because contracts are typically concluded with consent. To be clear: just because a contract provides for the processing of personal data, does not mean that contract is the legal basis for the processing. For instance, the contract could collect consent for the processing. But these distinctions can be difficult for consumers and businesses to understand! In order to avoid misunderstandings, it is a good idea to explicitly identify the legal basis for the processing of the data in a contract.

Legitimate interest

Under Art. 6(1)(f), data can be processed when necessary for pursuing a legitimate interest of the controller or a third party. For instance, a company can install surveillance cameras on its premises based on its legitimate interest in protecting its property.

Legitimate interest is a very flexible ground and can be used for many purposes. It can cover an entity's interest in protecting its property, a company's interest in running their business or advertising a product, and so on. Even a general interest can sometimes be invoked to rely on legitimate interest: for instance, nonprofits have a legitimate interest in pursuing their humanitarian goals

Legitimate interest is mean to add a degree of flexibility to the otherwise rigid system of legal grounds under the GDPR. In order to prevent the data controller from abusing this flexibility, the GDPR requires that the legitimate interest being invoked is not overridden by the interests, rights, and freedoms of the data subjects. This assessment is commonly referred to as balancing.

Balancing is a big can of worms, but as an approximation, you can think of balancing as three questions:

  • is my interest legitimate?
  • is the processing necessary?
  • does the processing disproportionately impact the position of the data subject? (In GDPR jargon the data subject is the person to whom the data refer)

These questions can sometimes quite tricky. Balancing is a case-by-base assessment and needs to take many variables into account. Returning to our example: are the cameras placed in the company parking lot, or are they inside the workplace where they can capture footage of employees as they work? Do the cameras record footage of pedestrians moving down the street? For how long is the footage stored? All of these questions are relevant to the balancing.

In practice, balancing is carried out by drafting a written assessment called a legitimate interest assessment or LIA. While not mandatory under the GDPR, a LIA is the best way for the controller to show that they did their homework and assessed the balancing carefully.

There is much more to say about balancing, but the bottom line is that balancing is tricky, and you should consider this when deciding to rely on legitimate interest. However, legitimate interest is a very flexible ground, so it may be the only choice in some scenarios.

Two last points. First, the GDPR provides that public authorities cannot invoke this ground in performing their tasks (Article 6(1)). Second, the data subject has a right to object to the processing of their data based on legitimate interest. Notably, this right also functions as an opt-out mechanism for direct marketing based on legitimate interest. We won't go into more detail, but if you're curious, the ICO's website is a good source of information on this topic (there is no difference between the GDPR and the UK GDPR in this regard).

Under Art. 6(1)(c), personal data can be processed when the processing "is necessary for compliance with a legal obligation." For instance, a bank can process a customers' financial data to fulfill its obligations under anti-money laundering regulations.

The notion of law is broad and includes rules such as administrative acts or judicial decisions. However, this law must require the data to be processed- simply authorizing the processing will not do. Additionally, this law must fulfill specific requirements of proportionality laid out by the GDPR, which means that Member States cannot make any processing of personal data lawful by simply creating a law for that purpose.

Of course, the law must be EU or Member State law- foreign laws are not a justification for processing personal data. Additionally, the law must come with an actual obligation to process data. A simple permission is not enough.

Legal obligation is a relatively hassle-free ground but is also very restrictive, as it can only used in specific scenarios and for specific purposes.

Vital interest

Under Article 6(1)(d), data can be processed to protect the vital interests of a person. For example, if an employee is in imminent danger, the employer can provide law enforcement with GPS data from the company's car so that they can take action as soon as possible.

In this context, vital interest means a life-threatening situation is taking place. Vital interest is a rather exceptional ground and not something you would use for day-to-day data processing.

Public interest or exercise of a public authority

This is a long one: under Art. 6(1)(e), data can be processed when it is "necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller." For instance, a public school can process student grades based on its public task to further education. And the tax authority can process your personal data when performing an inspection because they can do so under the law- if the authority needed consent, no one would pay their taxes!

This ground is typically used by public authorities and public entities. It can also be used by private entities in specific scenarios- for instance, when a private company provides a public service under a procurement contract.

Finally, the right to object we mentioned earlier also applies to the processing of data based on public interest/authority.

Bundeskartellamt is a landmark Court of Justice ruling from 2023 that touches upon several legal bases and showcases some of the rules we wrote about in this blog. We have two blogs about the ruling already, so we will keep things short here.

Bundeskartellamt is about Meta’s attempts to justify the profiling of its user base in order to provide them with targeted advertising on Instagram and Facebook. In other words, it is about the lawfulness of Meta’s business model as a whole rather than the tiny technicalities in its privacy policy. This makes the ruling very important for Meta and for many other platforms as well.

Before the ruling, Meta’s now-outdated privacy policy threw many different legal bases around with regards to profiling, which made the policy very confusing even for data protection authorities. So, the Court of Justice went through these different legal bases in its ruling- and tore them down one by one.

(On a side note: if privacy regulators with decades of legal experience cannot decipher your policy, neither can the end user. This is a serious problem and an infringement of the GDPR regardless of the content of your policy!)

Remember how we said that contractual necessity only covers the processing of personal data that is, well, necessary to the contract- as opposed to justifying anything as long as it is somewhere in the legal fine print? The Court of Justice made this exact point in Bundeskartellamt, as did European privacy watchdogs in earlier decisions involving Meta.

Remember how we said that very invasive data processing operations are hard to justify based on legitimate interest? Meta’s profiling is as invasive as it gets. Unsurprisingly, the Court shot down the legal basis of legitimate interest too.

As for consent, the Court observed that forcing consent through take-it-or-leave-it propositions does not lead to free and valid consent (although_ Bundeskartellamt_ might have unfortunately left the door somewhat open to pay-for-privacy approaches- but that's a story for another blog).

None of these positions was terribly new or controversial: the rules were already clarified by the case law, and guidance from privacy authorities, and the Recitals of the GDPR itself. The Court of Justice merely put all the pieces of the puzzle together to stop Meta from circumventing the GDPR.

At the end of the day, the crucial take-away of Bundeskartellamt is that legal bases matter. They are not pro forma requirements that can be met by adding compliance fluff in a privacy policy. They are substantial rules that tell you what you can and cannot do with personal data, and must be treated as such.

Final Thoughts

Handling personal data correctly is important, but guidelines and laws are not always easy to understand. We tried to create a comprehensive overview to give a bit more clarity on the different legal bases for data collection. The GDPR has set the boundaries for what's possible and what is not. As a business, you must adhere to these laws to protect your customer's privacy. Having a clear understanding of these legal bases reduces your company's risks of lawsuits and data breaches.

Even if the GDPR did not exist and there were no laws to violate concerning data protection, organizations are morally obliged to handle the data of their website visitors in a responsible manner. At least, this is what we believe at Simple Analytics.

This is why we created a privacy-first Google Analytics alternative that doesn't use cookies or collect personal data while still obtaining actionable insights from your website visitors.

We believe in creating an independent web that is friendly to website visitors while providing the insights you need to run your business. If this resonates with you, feel free to give us a try.

GA4 is complex. Try Simple Analytics

GA4 is like sitting in an airplane cockpit without a pilot license

Start 14-day trial