Even though the GDPR came into force in 2018, however, many organizations are still not fully compliant with it. Following our first article 6 things you need to know about GDPR, in which we explain when it is applicable, who needs to comply with it, and more, we will now dive deep into the legal bases companies have for processing data. Don’t miss it!
The General Data Protection Regulation of the European Union has brought a new approach to the way companies deal with personal data, requiring from them much more transparency and accountability. Even though the GDPR came into force in 2018, however, many organizations are still not fully compliant with it. It was to help them in this journey that our XCure team has created this special series about data protection law.
Following our first article 6 things you need to know about GDPR, in which we explain when it is applicable, who needs to comply with it, and more, we will now dive deep into the legal bases companies have for processing data. Don’t miss it!
The six legal bases for processing personal data
According to the principle of lawfulness brought by the GDPR, organizations can only process personal data if they have a legal ground to do so.
The documentation stating the basis chosen is used to prove to the supervisory authorities that the processing is indeed necessary. This is extremely important, because if a company can achieve the desired purpose without having to collect and use personal data, it will not be allowed to process it.
It is important to note that legal grounds cannot be changed without a strong justification, so organizations should be careful to select the right option from the start. While most companies focus on obtaining consent from subjects in order to be able to process personal data, that is not the only legal basis defined in the Regulation. In fact, there are six of them:
- Consent: Consent is the authorization given by the data subject to the controller, allowing the organization to process his or her personal data. The GDPR has a series of requirements in order for it to be valid. These include the need for consent to be given for a specific purpose, and for requests to be presented to the data subject in a way clearly distinguishable from other matters, intelligible and written in clear and plain language. Finally, consent must be freely given.
- Contract: When the processing of personal data is required for the performance of a contract to which the data subject is party or in order to take steps, at the request of the subject.
- Legal obligation: Personal data can also be processed in cases where it is necessary for the controller to comply with the law. Note that this doesn’t include contractual obligations, as is the case, for example, with employment law.
- Vital interest: The basis of vital interest happens when personal data needs to be processed to protect someone’s life - be it the data subject’s or another natural person. That would be the case if, for example, a person was unconscious and the treatment to save his or her life depended on health data.
- Public task: When necessary for a task carried out in the public interest or for official functions. These tasks need to have a clear basis on national law.
- Legitimate interests: Either of the controller or a third party, except when these interests are overridden by the interests, rights or freedoms of the data subject that demand the protection of personal data. The restriction is especially important when the subject is a child.
Why is determining the legal basis for processing so important?
The legal bases for processing affect the rights held by data subjects, meaning that organizations will have very concrete effects depending on their choices in this regard.
If the basis for processing is consent, for example, in certain circumstances data subjects will have the right to request that the company erases their data (right to erasure) or transfers it to another organization (right to portability). Neither of these rights exist, on the other hand, when the processing is based on a legal obligation. We have summarized these impacts on the table below.
| Right to erasure | Right to portability | Right to object to the processing | |
| Consent | Yes | Yes | No, but data subjects can withdraw their consent |
| Contract | Yes | Yes | No |
| Legal obligation | No | No | No |
| Vital interests | Yes | No | No |
| Public task | No | No | Yes |
| Legitimate interests | Yes | No | Yes |
What happens if your company processes personal data without having a legal basis?
A company processing personal data without having a legal basis is commiting a very serious offense under the GDPR and can be subjected to a hefty fine. For such a violation, the fine is of up to €20 million, or 4% of the firm’s worldwide annual revenue from the previous year, whichever amount is higher.
Before your company processes personal data of subjects in Europe, it needs not only to have a determined legal basis, but also to document this decision properly. This process can be challenging, but with XCure’s Privacy Management Tool, you can easily map, document and maintain the requirements of the data protection regulation in your organization. Try it now for free and become compliant with the GDPR!
Contact XCure team, if you want more information or presentation about the Privacy Management Tool.
