According to a report from Ireland’s Data Protection Commission, “one of the first questions” for a company involved in personal data processing under the European Union General Data Protection Regulation (GDPR) should be: “What is my reason or justification for processing this personal data?”

That is “because any processing of personal data is only lawful where it has what is known as a ‘legal basis’.” According to GDPR’s Article 6: “Processing shall be lawful only if and to the extent that at least one of the following applies”:

  1. “the data subject has given consent to the processing of his or her personal data for one or more specific purposes”;
  2. “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”;
  3. “processing is necessary for compliance with a legal obligation to which the controller is subject;
  4. “processing is necessary in order to protect the vital interests of the data subject or of another natural person”;
  5. “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”;
  6. “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

Per the DPC report, data controllers “need to determine which legal basis they are relying on in order to ensure that any processing they undertake is lawful. There is no hierarchy or preferred option within this list, instead each instance of processing should be based on the legal basis which is most appropriate in the specific circumstances. Controllers should be aware that there may be different legal bases applicable where the same personal data are processed for more than one purpose. Further, it is important to note that ‘consent’, whilst perhaps the most well-known, is not the only legal basis for processing – or even the most appropriate in many cases.”

The DPC hopes with this report “to assist controllers in identifying the correct legal basis for any processing of personal data which they undertake or plan to undertake – and the obligations which go with that legal basis.”

For more on GDPR compliance, consult the Insights Association's GDPR portal.