NEW: AI Compliance solution.
It’s crucial that you understand the lawful basis – also known as the legal basis – when processing personal data. The correct legal basis depends on the individual processing.
We help you navigate legal basis requirements with confidence as we give you the answers to:
Legal basis is the legal basis that allows you to process (and possibly disclose) personal data.
In other words, there must be a valid legal basis for you and your organization (and possibly your supplier) to process personal data lawfully.
In the GDPR, there are three types of personal data: General, sensitive, and confidential personal data.
We’ll explain all three types below.
You can find the possible legal basis for processing general personal data if you need to take into account at least one of these 6 factors:
Processing is necessary for the performance of a contract to which the individual is party.
Processing is necessary for compliance with a legal obligation.
Processing is necessary to protect the life or health of an individual.
Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.
The processing is necessary for legitimate interests, unless overridden by the fundamental rights and freedoms of the individual.
The individual has given clear and unambiguous consent for one or more specific purposes.
Compared to regular personal data, finding a legal basis for processing sensitive personal data is more difficult.
This is because sensitive personal data under Article 9 of the GDPR covers:
For sensitive personal data, you must both (1) have a legal basis in Article 6(1) and (2) use an exception to the general prohibition on processing (in Article 9(2)).
The exception can be found in Article 9(2) and applies if you need to take into account at least one of these 10 factors:
The individual has given explicit consent to the processing of their sensitive data for one or more specific purposes.
Processing is necessary to comply with labor, health or social protection law obligations. This includes obligations in collective agreements.
Processing is necessary to protect the life and health of the data subject or another natural person when the data subject is incapable of giving consent.
Processing is carried out by a non-profit foundation, association or other non-profit organization as part of its legitimate activities.
Processing relates to personal data that has been manifestly made public by the data subject.
Processing is necessary for the establishment, defense, or assert legal claims.
Processing is necessary for reasons of substantial public interest.
Processing is necessary for reasons of substantial public interest in the field of public health based on EU or national law.
The exception applies to organizations in the field of e.g. preventive medicine, medical diagnostics, provision of health or social care, or treatment.
Treatment is necessary for public health reasons. For example, protection against serious cross-border health threats.
Processing is necessary for archiving purposes in the public interest, for scientific or historical research purposes, or for statistical purposes based on EU or Member State law.
Please also note that there may be additional conditions in national law for processing genetic, biometric, or health data. This is currently not the case in Denmark.
Certain types of personal data are subject to special legal basis requirements. This personal data is known as confidential personal data and is listed in GDPR, Article 9(1).
As a general rule, it’s prohibited to process sensitive personal data unless you can use one of the exceptions in GDPR, Article 9(2).
Confidential data is first and foremost information about criminal offenses. For example, if a person has a criminal conviction, parking ticket, or similar.
You can only process this data if you as a:
There are also special rules for legal basis when it comes to identification numbers (for instance, CPR numbers in Denmark). You may only process CPR numbers if you as a:
Legal basis is one of many GDPR requirements you need to understand and comply with – even if you use a supplier to process personal data.
If you want help meeting the GDPR requirements related to your vendor management, feel free to check out our GDPR guide below.
It gives you a complete compliance checklist that you can tailor to each of your suppliers.
Get a tailored GDPR checklist to ensure your compliance when implementing, using, and terminating suppliers.