Recital 39 of the General Data Protection Regulation (GDPR) states that any processing of personal data should be lawful and fair. Also, Recital 40 states that for processing to be lawful, personal data must be processed by the consent of the data subject or some other legitimate basis established by law. Therefore, these legitimate bases become the main character in privacy, and this article aims to describe them and explain when they apply briefly.
Although the name chosen by the regulator may be a little confusing, a legitimate basis (also known as legal grounds) is simply a concrete situation or scenario in which it is possible to process personal data. In other words, this figure lays down a rule as simple as that data controllers cannot carry out a processing activity whenever they wish, but only when they are entitled to do so. Therefore, only when there is a legitimate basis, the data controller can proceed with the processing of data.
The list of legitimate bases could be found in Article 6 GDPR and would be as follows:
(a) Consent. It takes place when the data subject has given his/her consent to the processing of his/her personal data for one or more specific purposes. Consent must be freely given, specific, informed and unambiguous, so inactivity, silence or pre-ticked boxes would not constitute consent. The data subject should also have the possibility to withdraw consent without detriment, in a simple and non-intrusive manner. This means that in practice obtaining and managing consent is not always straightforward.
(b) Contract or steps prior to entering into a contract. In cases where there is a contract in place, in which the data subject is this legitimate basis will cover a party, any processing of data necessary for its performance. This legitimate basis also includes the processing required to carry out the preliminary measures needed before entering into the contract.
(c) Legal obligation. This legitimate basis would apply when there is a “legal obligation” rather than when there is a “legal entitlement,” which is different. That is to say; when there is a rule that obliges the data controller to carry out a specific activity that involves data processing, it will apply this legitimate basis. For instance, this happens when an entity is obliged to disclose information to public authorities, such as tax authorities.
(d) Vital interests. This legitimate basis would apply where necessary to protect the life of the data subject or another natural person. For example, this legitimate basis would cover most data processing activities carried out by emergency services.
(e) Public interest. This would be the case when the data processing activity is necessary for the performance of a task carried out in the public interest or the exercise of official authority vested in the controller. Therefore, this legitimate basis will apply mainly in areas related to public administration.
(f) Legitimate interest. This is probably the “darkest” and most difficult to understand and, at the same time, the most flexible on many occasions. To be able to rely on this legitimate basis, Interests of the data controller or a third party must take place, and these must be legitimate (i.e., cannot be based on an illegal or fraudulent act). Also, it is necessary to balance these interests against the individuals. If they would not reasonably expect the processing, or if the processing activity could cause unjustified harm, their interests, rights, and freedoms are likely to override the data controller’s legitimate interests and could not rely on this basis.
This results in situations that can fit into this figure being to some extent interpretable. The GDPR provides some concrete examples where legitimate interests might apply, such as fraud prevention or ensuring network security, but in any case, it is an open concept to be analysed on a case-by-case basis.
It is important to bear in mind that the above legitimate bases would only be applicable when we are carrying out a data processing activity that does not involve the use of special categories of data (also known as sensitive data). These include some relatively common data such as biometric data, health data or union membership, among others. There are also certain situations in which it is possible to process this type of data, established in Article 9 GDPR.
Finally, as a curious fact, it is worth pointing out that the legitimate bases already existed in the old 1995 Directive (Directive 95/46/EC), which included in its Article 7 a list quite like that included in the current GDPR in its Article 6. However, this article was not transposed in the same way in the national legal systems of the different countries. It is why legitimate bases seem to be something “new” that the GDPR has introduced, although they are not.