The GDPR provides several legal bases for the lawful processing of personal data in accordance with its articles 5(1a) and 6
The CNIL, the French supervisory authority, defines the legal basis as follows:
|The legal basis of a processing operation is what legally authorizes its implementation, which gives an organization the right to process personal data. It can also be referred to as the “legal basis” or “legal foundation” for processing.|
Without an adequate legal basis for each processing operation, the processing of personal data is not lawful, and the controller is likely to be sanctioned by the supervisory authority in the event of an audit.
Article 5 – Principles relating to the processing of personal data
Personal data must be:
There are 6 legal bases proposed by the GDPR
– Consent ;
– The contract ;
– Legal obligation;
– Safeguarding vital interests;
– Public interest;
– Legitimate interests.
These 6 legal bases are the only legal bases proposed by the GDPR and there is no other possibility to make processing of personal data lawful.
Article 6 specifies the conditions of what GDPR calls lawfulness of processing, and lists in detail the different existing possibilities. The 6 legal bases are listed in its paragraph 1(a>f)
Article 6 Legality of processing
1. Processing shall be lawful only if and insofar as at least one of the following conditions is met
2. Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation in relation to processing for the purpose of complying with paragraph 1(c) and (e), by determining more precisely the specific requirements applicable to the processing as well as other measures to ensure lawful and fair processing, including in other specific processing situations as provided for in Chapter IX.
3. The basis for the processing referred to in paragraph 1(c) and (e) shall be defined by:
4. Where processing for a purpose other than that for which the data were collected is not based on the consent of the data subject or on Union law or the law of a Member State which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1), the controller, in order to determine whether processing for another purpose is compatible with the purpose for which the personal data were originally collected, shall take into account, inter alia
To illustrate the application of Article 6 and the different choices offered as legal bases, I will propose two simple examples.
The first example would be the case of a processing necessary for the execution of a contract, the legal basis of the consent is in this case not the most judicious choice, nor the most logical. That is why in this case the choice of the legal basis would simply be “the performance of a contract”.
The second example would be for a processing serving the subscription to a newsletter, the most logical choice would be the consent, because no other legal basis would be appropriate. The legal basis for processing for the performance of a contract, as in the first example, would obviously not be the best choice.
It is very important to check that the legal basis is adequate to the situation, because not only is it the only way to make the processing lawful, but it is also an important piece of information that must be included in various documents in your accountability file.
The lawfulness of the processing goes much further and is much more complex than the choice of the legal basis.
But it is an important point to take into account, and a carefully considered choice to make. Some processing is purely and simply forbidden, even if there are exceptions provided by the GDPR. I will surely talk about it in a future article.
I invite you to contact a GDPR consultant or a DPO for more information and help for the implementation of your compliance.