- By Emil Galletta Rene, assistant attorney
GDPR and Legal Basis: How to Ensure the Lawful Basis for Processing Personal Data
- September 27, 2024
It’s crucial that you understand the lawful basis – also known as the legal basis – when processing personal data. The correct legal basis depends on the individual processing.
We help you navigate legal basis requirements with confidence as we give you the answers to:
What is legal basis?
Legal basis is the legal basis that allows you to process (and possibly disclose) personal data.
In other words, there must be a valid legal basis for you and your organization (and possibly your supplier) to process personal data lawfully.
In the GDPR, there are three types of personal data: General, sensitive, and confidential personal data.
We’ll explain all three types below.
Your legal basis for processing general personal data
You can find the possible legal basis for processing general personal data if you need to take into account at least one of these 6 factors:
#1: Contract
Processing is necessary for the performance of a contract to which the individual is party.
#2: Legal obligations
Processing is necessary for compliance with a legal obligation.
#3: Vital interests
Processing is necessary to protect the life or health of an individual.
#4: Public task
Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.
#5: Legitimate interests
The processing is necessary for legitimate interests, unless overridden by the fundamental rights and freedoms of the individual.
#6: Consent
The individual has given clear and unambiguous consent for one or more specific purposes.
Your legal basis for processing sensitive personal data
Compared to regular personal data, finding a legal basis for processing sensitive personal data is more difficult.
This is because sensitive personal data under Article 9 of the GDPR covers:
- Racial or ethnic origin
- Political opinions, religious or philosophical beliefs
- Trade union memberships
- Genetic or biometric data
- Health data
- Data concerning sex life or sexual orientation
For sensitive personal data, you must both (1) have a legal basis in Article 6(1) and (2) use an exception to the general prohibition on processing (in Article 9(2)).
The exception can be found in Article 9(2) and applies if you need to take into account at least one of these 10 factors:
#1: Explicit consent
The individual has given explicit consent to the processing of their sensitive data for one or more specific purposes.
#2: Labor, health and social law obligations
Processing is necessary to comply with labor, health or social protection law obligations. This includes obligations in collective agreements.
#3: Vital interests
Processing is necessary to protect the life and health of the data subject or another natural person when the data subject is incapable of giving consent.
#4: Non-economic activity
Processing is carried out by a non-profit foundation, association or other non-profit organization as part of its legitimate activities.
#5: Published data
Processing relates to personal data that has been manifestly made public by the data subject.
#6: Legal requirements
Processing is necessary for the establishment, defense, or assert legal claims.
#7: Substantial public interest
Processing is necessary for reasons of substantial public interest.
#8: Medical purposes
Processing is necessary for reasons of substantial public interest in the field of public health based on EU or national law.
The exception applies to organizations in the field of e.g. preventive medicine, medical diagnostics, provision of health or social care, or treatment.
#9: Public health
Treatment is necessary for public health reasons. For example, protection against serious cross-border health threats.
#10: Archiving, research, and statistics
Processing is necessary for archiving purposes in the public interest, for scientific or historical research purposes, or for statistical purposes based on EU or Member State law.
Please also note that there may be additional conditions in national law for processing genetic, biometric, or health data. This is currently not the case in Denmark.
Your legal basis for processing confidential personal data
Certain types of personal data are subject to special legal basis requirements. This personal data is known as confidential personal data and is listed in GDPR, Article 9(1).
As a general rule, it’s prohibited to process sensitive personal data unless you can use one of the exceptions in GDPR, Article 9(2).
Confidential data is first and foremost information about criminal offenses. For example, if a person has a criminal conviction, parking ticket, or similar.
You can only process this data if you as a:
- Public authority needs to do it so that the administration can perform its task
- Private company 1) have ensured the explicit consent of the data subject, or 2) have a legitimate interest that clearly overrides the interests of the data subject.
There are also special rules for legal basis when it comes to identification numbers (for instance, CPR numbers in Denmark). You may only process CPR numbers if you as a:
- Public authority has the purpose of 1) identifying individuals or 2) using it as a record number.
- Private organization 1) is required to do so by law, 2) has consent from the data subject, or 3) needs to do so to comply with an employment law obligation.
Legal basis is one of many GDPR requirements you need to understand and comply with – even if you use a supplier to process personal data.
If you want help meeting the GDPR requirements related to your vendor management, feel free to check out our GDPR guide below.
It gives you a complete compliance checklist that you can tailor to each of your suppliers.
Complete guide and checklist for vendor management
Get a tailored GDPR checklist to ensure your compliance when implementing, using, and terminating suppliers.
