Under the General Data Protection Regulation, there must be a “legal basis” for personal data processing to be lawful. This overview aims to provide guidance, identifying legal processing of data as well as the obligation in which to go.

Guidance on Legal Bases for Processing Personal Data One of the first questions organisations involved in processing personal data (‘controllers’) should ask themselves before undertaking the processing is “What is my reason or justification for processing this personal data?”

This is of key importance because any processing of personal data is only lawful where it has what is known as a ‘legal basis importantly Article 6 of the General Data Protection Regulation (GDPR) sets out these potential legal bases: consent; contract; legal obligation; vital interests; public task; or legitimate interests.

This guidance aims primarily to assist controllers in identifying the correct legal basis for any processing of personal data they undertake or plan to undertake – and the obligations that go with that legal basis In addition, this guide will be helpful to users whose personal data is subject to processing (‘data subjects’) in identifying whether the processing of their data is lawful and, as part of that, what the legal basis for that processing may be. 

Legal bases for processing personal data – full guidance note

Data Protection Commission originally published this article. Contact us to learn more about GDPR compliance or go through our compliance packages to help your business maintain compliance.