Under Article 6 of the General Data Protection Regulation (GDPR), you may only process personal information about individuals if at least one of the six legal bases listed in the GDPR for processing applies.
Note: Most businesses primarily rely on "performance of a contract," "consent," "legitimate interests," and "legal obligations." It is less common for businesses to rely on "vital interests" and "public interest."
The six legal bases are:
If you are processing personal information about a user because (a) you have a contract with that user, or (b) that user has asked you to do something as a step toward entering into a contract, like requesting a quote for services, the personal information you process for the purposes of fulfilling that contract or fulfilling that request in order to enter into a contract, the "performance of a contract" legal basis applies to that processing activity.
A contract in this case does not have to be a formally signed document. It just needs to meet the requirements of contract law — where terms have been offered and accepted by the parties, both parties intend for those terms to be legally binding, and there is an exchange for consideration, like money, or anything of value.
If you are not sure if you have a contract, you should consult with an attorney before relying on this legal basis for the associated processing activities.
2. Legal Obligations: Processing personal information to comply with the law.
If you are processing personal information where the overall purpose of that processing is to comply with a legal requirement — including statutory obligations, common law obligations, certain regulatory requirements, and more — the "legal obligation" legal basis applies to that processing activity. This legal basis does not apply to processing to fulfill a contractual obligation.
If you are not sure if legal obligation applies to that processing activity, you should consult with an attorney before relying on this legal basis for the associated processing activities.
3. Vital Interests: Processing personal information to save or protect someone’s life.
If you are processing personal information for matters of life and death, like urgent medical care or humanitarian emergencies, the "vital interests" legal basis may apply.
Please note, this legal basis is very limited in scope. If you are not sure if vital interest applies to that processing activity, you should consult with an attorney before relying on this legal basis for the associated processing activities.
4. Public Interest: Processing personal information to carry out official tasks or functions or other specific tasks in the public interest.
For most Termly customers, this legal basis will not apply to any of your processing activities. While you do not have to be a public authority, generally this legal basis applies to carrying out official tasks or functions in the public interest. The processing activities where this legal basis applies are often the type of tasks a public authority would carry out. Tasks include things like the administration of justice, governmental functions, activities supporting or promoting democratic engagement, and more.
5. Consent: Giving your users ongoing choice as to whether or not you process their personal information.
To process personal information relying on your users’ permission, you must obtain consent. Consent under the GDPR must be a freely given, specific, informed, and an unambiguous indication of your users’ wishes. The user must make a statement or take clear affirmative action that signifies agreement to the processing of personal information for the specific purpose described. It means offering your users real choice and control over how you use their personal information.
When you rely on consent, you must consider if you could stop processing upon request if a user withdraws their consent. Under GDPR, users have the right to withdraw consent, and if you are unable to honor those requests, you should not rely on consent as your legal basis for processing.
6. Legitimate Interests: Where you are taking full responsibility for justifying your processing.
You can rely on legitimate interests as a legal basis if your identified interests outweigh the risk imposed on the rights and interests of your data subjects. The legal basis of legitimate interest provides flexibility, but also requires additional work BEFORE you rely on this legal basis to ensure you are applying it appropriately.
How do I know which legal basis I rely on when I process a user’s personal information?
Which basis is most appropriate to use will depend on things like:
- The categories of personal information you process.
- The reasons you need to process that personal information. For example, if you need to process personal information to process payment for an order and confirm purchase versus to serve targeted advertising to your users.
- The nature of your relationship with the relevant data subjects. For example, your legal basis might be different for the personal information you collect about your employees versus the personal information you collect about your customers.
To determine whether your processing activities (i.e., how you collect, use, store, or share personal information) are permitted under GDPR, you need to have a clear picture of the categories of personal information you process and the reasons you need to process that personal information.
- Identify each instance where you process personal information for a specific purpose.
- Review the purposes of each processing activity and select the appropriate lawful basis or bases for each.
- Confirm that each processing activity is necessary. Necessary means more than just useful for accomplishing your purpose, particularly if there are less invasive ways to accomplish the same purpose.
- We recommend documenting your decisions on which lawful bases apply so you can demonstrate your compliance effort if needed
- Note: Sensitive information requires additional analysis to make sure you are processing the data lawfully under GDPR.