Classification
Data Protection & Privacy Law
Overview
The General Data Protection Regulation (GDPR) requires that all personal data processing activities have a valid legal basis. There are six standard legal bases: (1) Consent, (2) Contractual necessity, (3) Compliance with a legal obligation, (4) Protection of vital interests, (5) Performance of a task carried out in the public interest or in the exercise of official authority, and (6) Legitimate interests pursued by the controller or a third party. Each basis has specific conditions and limitations. For example, consent must be freely given, specific, informed, and unambiguous, while legitimate interest requires a balancing test between the interests of the controller and the rights of the data subject. Not all bases are equally applicable in every context, and some (such as vital interests) are intended for exceptional situations. A key nuance is that organizations must select the most appropriate basis before processing begins and cannot retrospectively switch bases.
Governance Context
GDPR Article 6 outlines the six legal bases and mandates that organizations document and justify their choice of legal basis for each processing activity. Under Article 5(2) (Accountability Principle), controllers must demonstrate compliance, which includes maintaining records of processing activities (Article 30) and conducting Data Protection Impact Assessments (DPIAs) when required (Article 35). Supervisory authorities, such as the European Data Protection Board (EDPB), expect organizations to be able to explain and evidence their legal basis. For example, the UK Information Commissioner's Office (ICO) requires organizations to publish privacy notices that clearly state the legal basis for processing. Two concrete obligations include: (1) maintaining a Record of Processing Activities (ROPA) that specifies the legal basis for each activity, and (2) ensuring that privacy notices provided to data subjects clearly identify the legal basis relied upon for each type of processing. Failure to use an appropriate legal basis can result in enforcement actions, fines, or orders to stop processing.
Ethical & Societal Implications
Selecting the appropriate legal basis directly impacts individuals' privacy rights and trust in organizations. Over-reliance on less restrictive bases, such as 'legitimate interests,' can erode public confidence and may lead to misuse of personal data. Conversely, overly restrictive interpretations may hinder beneficial data uses, such as research or emergency interventions. Transparent communication about the legal basis and respecting individual rights, such as the right to object or withdraw consent, are essential for ethical data governance. The choice of legal basis can affect societal perceptions of fairness, autonomy, and the legitimacy of organizational data practices.
Key Takeaways
GDPR requires one of six legal bases for lawful personal data processing.; Each legal basis has specific requirements and limitations; selection must be justified and documented.; Organizations must communicate the legal basis to data subjects, typically via privacy notices.; Failure to use or document an appropriate legal basis can result in regulatory sanctions.; Legal bases cannot be changed retroactively once processing has started.; Maintaining clear records (ROPA) and conducting DPIAs are key compliance controls.; Choosing an inappropriate legal basis can undermine data subjects' rights and organizational trust.