Today, processing personal data is not just a technical matter but a legal requirement governed by strict rules. Relevant data protection laws generally state that every data processing activity must have a legal basis. Although many believe that consent is the only way to justify processing, guidance from relevant supervisory authorities makes it clear that there are other legal grounds, too. This article explains the different lawful bases under applicable data protection laws, discusses the challenges of relying only on consent, and examines alternative bases that may be more practical and reliable.
You’ve got to get beyond consent. It may be the poster child of data processing, but like a fickle friend – it may not be there when you need it. You’ve got better friends out there if you take the time to look for them.
Lawful bases for processing personal data
What is a lawful basis?
A lawful basis is a legal reason an organisation must process personal data. According to most data protection laws, every processing activity must have one of several legal justifications. This requirement helps protect individual rights while allowing information to be processed.
Common legal bases explained
Consent
Consent is perhaps the most well-known legal basis. Consent generally means the individual’s clear, informed, and unambiguous agreement. Many data protection laws require the data subject to consent through a straightforward opt-in process. However, since people can usually withdraw consent at any time, it can be an unstable foundation for ongoing data processing.
Contractual necessity
Most data protection laws state that processing is lawful if necessary to perform a contract with the individual. For instance, an online shop may process customer data to complete an order. This type of processing does not depend on consent as long as it is essential to the contract.
Legal obligation
Many data protection laws allow data processing when it is necessary to comply with a legal requirement. Organisations must identify and document the specific legal duty that requires the processing. For example, relevant laws may require that companies keep records for tax or employment purposes.
Vital interests
Under relevant data protection laws, processing is generally allowed if it is necessary to protect someone’s life or critical interests, such as during a medical emergency. Organisations should only rely on this basis when no other legal grounds apply.
Public task
Many data protection laws permit processing when needed for a task in the public interest or when an organisation is carrying out official duties. This basis is especially relevant for public authorities or organisations performing legally mandated functions, such as public health initiatives.
Legitimate interests
Most data protection laws allow processing based on an organisation’s or a third party’s legitimate interests, as long as these do not override the individual’s rights. Many supervisory authorities require or recommend a privacy impact assessment before relying on this flexible basis.
Challenges of relying solely on consent
Requirements for valid consent
Consent must be freely given, specific, informed, and unambiguous, in terms of relevant data protection laws. Organisations must ensure that individuals actively opt-in. Most supervisory authorities warn that pre-ticked boxes or assumed consent do not meet these standards.
Difficulties in obtaining and keeping consent
In practice, obtaining consent can be challenging. Since individuals can withdraw their consent anytime, organisations must constantly review their data processing. Power imbalances, such as those between employers and employees, may also question whether the data subject gave their consent freely. Additionally, organisations must keep detailed records of how and when they obtained consent, which adds an administrative burden.
Impact when the data subject withdraws consent
If a data subject withdraws consent, organisations must quickly stop processing the data or find another legal basis. This revocation can disrupt data processing activities and affect long-term planning.
Advantages of alternative legal bases
Stability through contractual necessity
Contractual necessity offers a more stable legal basis. This basis lets organisations process data essential for fulfilling a contract. For example, service providers can continue to manage orders even if the data subject withdraws consent for other activities.
Legal obligation as a reliable anchor
Fixed legal requirements set the foundation for processing data to meet a legal obligation. For example, organisations that maintain records for tax or employment purposes can do so with confidence, knowing that relevant tax and employment laws require them to do so.
Balancing interests with legitimate interests
The legitimate interests basis allows organisations to process data if they can balance their interests against the individual’s rights. This basis is ideal when consent is not practical. For example, legitimate interests may better justify using data for fraud prevention or network security.
When consent is impractical
In some cases, such as large-scale data analysis or regulated sectors like finance and healthcare, obtaining individual consent may be impractical. For example, healthcare providers may need to process data for treatment or public health reasons without waiting for consent.
Actions you can take next
While consent is a key part of data protection law, it is not the only legal basis under relevant data protection laws. The full spectrum of legal bases – consent, contractual necessity, legal obligation, vital interests, public task, and legitimate interests – give organisations a choice to suit their specific needs. Relying only on consent poses challenges, especially when data subjects can withdraw it, so alternative bases are often more stable and reliable.
In a time when data is both a valuable asset and a potential risk, organisations should carefully review all available legal bases. This oversight ensures they comply with data protection laws while maintaining smooth operations.
Your organisation can:
- Review your data processing practices to ensure you use the correct legal bases. Check out ICO’s guide to lawful basis.
- Check if contractual necessity or legal obligation can serve as alternative legal bases in line with relevant data protection laws. Get our help doing this by consulting with us.
- Update your privacy notices to inform data subjects about the legal basis for processing their data. We can help you with updating your privacy policies.
- Subscribe to our newsletter for updates on data protection law compliance and best practices.
