Documentation

How to Pick the Right Legal Basis

The GDPR not only allows you to process personal data only if one of the recognized legal bases turns out to be applicable, but it also requires controllers to disclose on which legal grounds they are basing their activities. This information must be delivered to data subjects within the privacy policy pursuant to art. 13.

Article 6 of the GDPR provides for 6 different conditions that can make the processing of personal data lawful:

  • Processing is necessary for the performance of a contract (or of pre-contractual measures) to which the data subject is party.

  • Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

  • Processing is based on the data subject’s consent.

  • Processing is necessary in order to protect the vital interests of the data subject or of another natural person.

  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

  • Compliance with a legal obligation to which the controller is subject.

Which one should you pick?

Generally, in the online environment, you will mostly deal with option a, b or, c. For this reason, we’ll briefly explain the other less common options (d, e, f) first, then focus and expand on a, b, and c — contract, legitimate interests, and consent.

Less common legal bases

d. Vital interests

Processing is necessary in order to protect the vital interests of the data subject or of another natural person.

This typically applies to life-saving interventions, such as doctors or paramedical staff that may need to collect the data subject’s blood group for the purposes of a transfusion.

e. Public interest

Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

A medical doctor, whose patient has been diagnosed an extremely contagious, potentially epidemic disease, may be required to notify this to the local health agency or institution for prevention purposes.

Compliance with a legal obligation to which the controller is subject.

This applies whenever the controller is required by law to process personal data referring to the data subject, e.g. employers, that have a legal obligation to collect certain personal data from their employees and possibly transfer them to authorities or agencies (e.g. social security institutions).

A very common use case for this provision is the nationally varying provisions (usually tax law or commercial law) requiring companies and professionals to retain invoices issued (which obviously bear the invoice recipient’s personal data) for a number of years.

Most common legal bases

a. Contract

Processing is necessary for the performance of a contract (or of pre-contractual measures) to which the data subject is party.

Contracts are the most common and fundamental legal grounds for the processing of personal data. Whenever you close a contract with a user – be it for the purchase of a product, to access information, to order a service, to book a flight etc. etc. – you need to collect some of the users’ personal data, otherwise you wouldn’t even be able to perform the contract. This also applies to pre-contractual negotiations.

Example

You sell tailored suits via the internet. To do this, you collect the following personal data from your customers: name, last name, address for invoicing and delivery, e-mail address to communicate, body measures for the suit, payment details. All such data are strictly necessary to perform the contract: you could not do without. Customers know this, and this is why you don’t need to collect their consent to the processing of such data: the contract they have closed with you is already sufficient as a legal basis.

But what would happen if the customer would send his data without closing the contract yet, because you first have to check if the chosen fabric is available? The same: pre-contractual measures count as a legal basis alike. Of course, if the fabric turns out to be unavailable and the customer decides not to close a purchase contract, you’ll have to delete all data received immediately.

Pros and Cons of contracts as a legal basis

Pros:

  • no need to collect data subject’s consent
  • flexibility: all processing activities necessary for the performance of the contract are licit

Cons:

  • strictly dependent on the contract: if the contract is canceled, the processing must stop

b. Legitimate interests

Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

Where you don’t have a contractual relationship to the data subject or your contractual relationship does not allow for the specific processing you plan on carrying out, you may want to look into this option. A legitimate interest is, for instance, that of a bank owner who’s installing CCTV cameras outside the bank entrance. People passing by are likely recorded, so personal data are being collected all the time without their consent and without having any kind of (contractual) relationship to them. But the bank owner has a clear legitimate interest in filming the bank entrance for safety reasons.

Note: If data subjects exercise their right to object to the processing of their personal data on the grounds of a legitimate interest, an assessment must be made on a case-by-case basis, as to whether the controller’s legitimate interest or the data subject’s fundamental rights and freedoms prevail.

Example

When selling tailored suit over the internet, you decide that you’d like to give your customers a better service by allowing them to personalize the shop interface. To do so, you must place cookies on the customers’ browsers that – say – store their preferences.

Since this processing activity is not covered by the legal basis “contract” (you don’t need to place cookies to perform the contract and deliver the suit), you may base it on your legitimate interest in customizing your service and improving user experience. Most probably, such legitimate interest, in this case, would prevail upon the data subject’s fundamental rights and freedoms, especially because there would be no major impairment of the data subject’s interests.

Pros and Cons of legitimate interest as legal basis

Pros:

  • no need to collect data subject’s consent
  • data subject’s possibility to object not unlimited
  • applicable to any kind of processing

Cons:

  • uncertainty: no list of “approved legitimate interests” exists
  • may entail additional compliance duties
  • bears a high potential for conflict

Processing is based on the data subject’s consent.

Sometimes the processing of personal data you’d like to perform is not functional to a contract closed with the data subject and your interest in it is not likely to prevail against the data subject’s fundamental rights and freedoms. If you’ve checked all legal bases, and none of them applies, you have to go for consent. This basically means that you can ask the data subject’s consent for pretty much any kind of processing of personal data, including sensitive/special category data.

According to the GDPR’s recital no. 32, “consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.”

In connection with Article 8, addressing controller’s duty to provide evidence of the collected consent and the data subject’s right to withdraw it at all times without stating any reason, the following conditions apply to consent:

  1. “affirmative”: no “opt-out” mechanisms are acceptable. The data subject must actively decide to consent.

  2. “freely given”: the data subject must be free to consent to the processing, i. e. not be forced, ordered or even merely under pressure to do so. Imagine an employee having to consent to a processing by his employer: it will be hard for the employer to demonstrate, that no pressure whatsoever has been exerted on the employee to deliver his consent.

  3. “specific”: no blanket consents: the purposes for which consent is sought must be laid down one by one and, if they are not necessarily connected one to the other, consent must be collected for each one separately.

  4. “informed”: controllers must explain precisely what they plan to do and for what purposes. Statements like “for marketing purposes” are not sufficient to inform data subjects about what is going to be done with their personal data.

  5. “unambiguous”: if the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. If, for instance, you collect consent within a contract that regulates other aspects, you have to highlight that passage appropriately.

  6. proof of consent: controllers must be able to demonstrate that they have duly collected consent. This is why iubenda has developed the Consent Solution.

  7. withdrawal right: data subjects can always decide to withdraw their consent, with immediate effects for the future. This is a particularly risky issue that you should consider, in particular when you plan to perform processing activities over a longer period of time.

Whenever basing the processing of personal data on consent, you must also take into account the implications of collecting consent from minors.

From the above, you can already guess that consent is just an appropriate legal basis, if no other applies. Indeed, there are a number of reasons why consent could turn out to be or be considered invalid, e.g. if it’s not “informed” enough, or if it’s unclear whether the data subject has received any pressure, whatsoever, to express consent etc.

Example

Apart from selling tailored suits, you would obviously like to send out commercial and promotional information about your own products and services and those of your cooperating partners (e.g. a shoe producer). Obviously sending out newsletters does not belong to the activities covered by the scope of the contracts you close with your customers, who are just buying suits.

Additionally, even if you have a clear legitimate interest in sending out such newsletters, most probably the fundamental rights and freedoms of data subjects would prevail, since unsolicited commercial communication is black-listed under various provisions (including the GDPR and the E-Privacy Directive 2002/58/EC) of EU and member states’ law.

Therefore, all you can do is work with consent. This is how you do it:

  1. Give your customers the option to sign up for a newsletter. Don’t email them to ask for the subscription as this would already represent an unsolicited communication, instead use a method like a website form or a link on social media.

  2. Make sure that when customers subscribe to your newsletter they get duly and specifically informed, and that their consent is freely given (no tricks like “you can only order a suit if you also consent to receiving our newsletter” are acceptable).

  3. Make sure that it’s really your customer who’s signed up for the newsletter, and no-one else or a robot. Therefore, implement the double opt-in process to guarantee that consent is affirmative and unambiguous.

  4. Inform your customers when collecting consent and within each following newsletter sent out that they are always free to withdraw consent, and how.

It’s worth noting here that there are certain conditions under which you’re allowed to send out newsletters on an opt-out basis, i.e. without previously collecting consent. You can read about these exceptions in the dedicated Email & Newsletter Guide.

Pros and Cons of consent as legal basis

Pros:

  • open to any kind of data processing
  • also applies to sensitive data

Cons:

  • high compliance and documentation duties
  • can always be withdrawn
  • risk, that consent may be considered invalid

Still have questions?

Visit our support forum Email us