It’s crucial that you understand the lawful basis – also known as the legal basis – when processing personal data. The correct legal basis depends on the individual processing.

‍We help you navigate legal basis requirements with confidence as we give you the answers to:

• What is legal basis?
• What legal basis can I use for processing general personal data?
• What legal basis can I use for processing sensitive personal data?
• What legal basis can I use for processing confidential data?

What is legal basis?

Legal basis is the legal basis that allows you to process (and possibly disclose) personal data.

In other words, there must be a valid legal basis for you and your organization (and possibly your supplier) to process personal data lawfully.

‍

In the GDPR, there are three types of personal data: General, sensitive, and confidential personal data.

‍

We’ll explain all three types below.

Your legal basis for processing general personal data

You can find the possible legal basis for processing general personal data if you need to take into account at least one of these 6 factors:

#1: Contract

Processing is necessary for the performance of a contract to which the individual is party.

#2: Legal obligations

Processing is necessary for compliance with a legal obligation.

#3: Vital interests

Processing is necessary to protect the life or health of an individual.

‍

#4: Public task

Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.

#5: Legitimate interests

The processing is necessary for legitimate interests, unless overridden by the fundamental rights and freedoms of the individual.

#6: Consent

The individual has given clear and unambiguous consent for one or more specific purposes.

Your legal basis for processing sensitive personal data

Compared to regular personal data, finding a legal basis for processing sensitive personal data is more difficult.

This is because sensitive personal data under Article 9 of the GDPR covers:

• Racial or ethnic origin
• Political opinions, religious or philosophical beliefs
• Trade union memberships
• Genetic or biometric data
• Health data
• Data concerning sex life or sexual orientation
  ‍

For sensitive personal data, you must both (1) have a legal basis in Article 6(1) and (2) use an exception to the general prohibition on processing (in Article 9(2)).

The exception can be found in Article 9(2) and applies if you need to take into account at least one of these 10 factors:

#1: Explicit consent

The individual has given explicit consent to the processing of their sensitive data for one or more specific purposes.

#2: Labor, health and social law obligations

Processing is necessary to comply with labor, health or social protection law obligations. This includes obligations in collective agreements.

#3: Vital interests

Processing is necessary to protect the life and health of the data subject or another natural person when the data subject is incapable of giving consent.

#4: Non-economic activity

Processing is carried out by a non-profit foundation, association or other non-profit organization as part of its legitimate activities.

#5: Published data

Processing relates to personal data that has been manifestly made public by the data subject.

#6: Legal requirements

Processing is necessary for the establishment, defense, or assert legal claims.

#7: Substantial public interest

Processing is necessary for reasons of substantial public interest.

#8: Medical purposes

Processing is necessary for reasons of substantial public interest in the field of public health based on EU or national law.

The exception applies to organizations in the field of e.g. preventive medicine, medical diagnostics, provision of health or social care, or treatment.

#9: Public health

Treatment is necessary for public health reasons. For example, protection against serious cross-border health threats.

#10: Archiving, research, and statistics

Processing is necessary for archiving purposes in the public interest, for scientific or historical research purposes, or for statistical purposes based on EU or Member State law.

‍

‍Please also note that there may be additional conditions in national law for processing genetic, biometric, or health data. This is currently not the case in Denmark.

Your legal basis for processing confidential personal data

Certain types of personal data are subject to special legal basis requirements. This personal data is known as confidential personal data and is listed in GDPR, Article 9(1).

‍

As a general rule, it’s prohibited to process sensitive personal data unless you can use one of the exceptions in GDPR, Article 9(2).

‍

Confidential data is first and foremost information about criminal offenses. For example, if a person has a criminal conviction, parking ticket, or similar.

‍

You can only process this data if you as a:
‍

• Public authority needs to do it so that the administration can perform its task
• Private company 1) have ensured the explicit consent of the data subject, or 2) have a legitimate interest that clearly overrides the interests of the data subject.
  ‍

There are also special rules for legal basis when it comes to identification numbers (for instance, CPR numbers in Denmark). You may only process CPR numbers if you as a:

• Public authority has the purpose of 1) identifying individuals or 2) using it as a record number.
• Private organization 1) is required to do so by law, 2) has consent from the data subject, or 3) needs to do so to comply with an employment law obligation.
  ‍

Legal basis is one of many GDPR requirements you need to understand and comply with – even if you use a supplier to process personal data.

If you want help meeting the GDPR requirements related to your vendor management, feel free to check out our GDPR guide below. It gives you a complete compliance checklist that you can tailor to each of your suppliers.

‍