Lexicon > Legal basis

IT Lexicon

Legal basis

Any processing of personal data must be lawful in order to be implemented under the conditions enshrined in the GDPR and the Data Protection Act.

However, to be lawful, the processing of personal data must be based on the consent of the data subject or be based on any other legal basis provided for by law, either in the GDPR or in another provision of Internet or European Union law.

This legal basis is then called the legal basis of the data processing.

There are six legal bases for processing personal data:

  • Consent;
  • Contract;
  • Legal obligation;
  • The public interest mission;
  • Legitimate Interest;
  • Safeguarding vital interests.

The legal basis is defined according to the purpose of the data processing. Thus, if the same processing operation pursues several purposes, each purpose will have a possibly separate legal basis. On the other hand, there can only be one legal basis per purpose of data processing.

Each legal basis must be carefully determined by the data controller according to its suitability for the purpose of the processing or any existing legal obligations.

Data subjects must be informed by the controller of the legal basis for processing their personal data.

The legal basis of a processing operation must also be recorded in the register of processing operations kept by the controller.

GDPR Point

Processing shall be lawful only if and to the extent that at least one of the following applies:

    1. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
    2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
    3. processing is necessary for compliance with a legal obligation to which the controller is subject;
    4. processing is necessary in order to protect the vital interests of the data subject or of another natural person;
    5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
    6. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

Article 6, paragraph 1 of the GDPR

Point of jurisprudence

The Slovenian supervisory authority recalls that every processing of personal data must have a legal basis. Specifically in the context of a joint liability situation, it states that “each controller must provide an appropriate legal basis”.

Informacijski pooblaščenec, December 18, 2020, no. 07121-1/2020/2281

The Bouchara Law firm assists you in particular in :

  • Making your organization GDPR compliant;
  • The drafting of data protection policies (privacy policy, computer charter …);
  • Documentation of your processing (register of processing activities, register of violations, privacy impact analysis, prior consultation…);
  • Obtaining certifications and adhering to codes of conduct;
  • The study of the legal feasibility of the implementation of a new personal data processing;
  • The drafting and transmission of your codes of conduct to the CNIL for approval;
  • Legal analysis of the compliance of your data processing, including data transfers outside the European Economic Area;
  • Drafting and negotiating your data processing agreements (DPA);
  • Drafting your Binding Corporate Rules (BCR) and Codes of Conduct;
  • Training and awareness of your employees.

We are also the external Data Protection Officer of many data processors and subcontractors.