Refresher on Legal Basis

5 December 2023

As the year draws to a close and we reflect on recent data protection updates, guidance and decisions, our team has prepared a refresher on the legal grounds for processing of personal data, and what you need to consider when relying on a particular legal basis.

Accountability is one of the key principles which underpins the GDPR. When considering which legal basis your organisation relies upon for processing personal data, we recommend you back up your decision with an objective justification.

Let’s now illustrate how each legal ground can be relied upon.

Legal basis	Considerations ¹
Consent	The Data Subject must give consent freely and unambiguously. Consent must be presented in clear and plain language so that it is informed. Data Subject must be able to withdraw consent.
Performance of a contract	Processing must be necessary to deliver the contractual service. If the contract is with a child, the organisation needs to ensure the child has the necessary competence to enter the contract.
Legal obligation	Your organisation must be obliged to process the personal data to comply with an EU or national legislation or the common law. The processing operations must be necessary to comply with the legal obligation. The law should make clear the purposes of the processing and must meet an objective of public interest.
Vital interests	Processing of personal data is needed to protect someone’s life or mitigate against a serious threat to a person (e.g., in a medical or healthcare situation). This legal basis is less likely to be appropriate for large scale processing.
Public task	Appropriate where your organisation is a Public Authority or exercises official authority or carries tasks of public interest (e.g., professional associations) The processing under this legal basis should be grounded on EU or national law
Legitimate interest	Your organisation should consider the three elements needed for this legal basis: The purpose test. Identifying a legitimate interest which they or a third party pursue. The necessity test. Demonstrating that the intended processing of the data subject’s personal data is necessary to achieve the legitimate interest. The balancing test. Balancing the legitimate interest against the data subject’s interests, rights, and freedoms by carrying out a Legitimate Interest Assessment.

Data controllers must consider how their data processing activities fit within the above grounds. It is worth bearing in mind that the lawful bases as set out in Article 6 are not hierarchical, and each of the six grounds rank equally and can be validly relied upon. The facts of each processing activity will determine the most appropriate legal basis for processing personal data.

Finally, in line with the principle of data minimisation, processing of personal data should only be undertaken in a limited way, where relevant and necessary to achieving the purpose of the processing. To ensure accountability, controllers should record their reasoning as to why they thought it necessary to process personal data under the different legal basis as outlined above.

Refresher on legal basis

How can KPMG help?

Footnote

Contact the team