Skip to 0 minutes and 1 secondLet's take a brief look at the legal bases for processing data about a natural person. A legal basis is a situation in which an organisation is legally permitted to process data. GDPR has six legal bases in total. The first is performance of a contract. This includes providing data before entering into a contract and then after processing data in accordance with that contract. For example, a potential customer calls an insurer for a car insurance quote and needs to give the organisation some personal data in order for it to provide the quote. As the data is provided to be able to create the contract, the legal basis is established regardless of whether the quote is accepted or not.

Skip to 0 minutes and 40 secondsNext is a legal obligation, that is, to meet a legal or regulatory obligation of the data controller. It might include processing undertaken at behest of a court or processing undertaken to meet a regulatory requirement. For example, organisations are required by law to request diversity information from potential applicants and new employees, such as ethnicity and gender identity to meet statutory requirements. The third legal basis is the performance of a task in the public interest, including the exercise of official authority vested in the data controller. For example, a public health authority exchanging medical data during an epidemic. Next is consent.

Skip to 1 minute and 21 secondsAnd this means a clear, unambiguous, positive consent, given by the natural person without coercion, which can be withdrawn as easily as it was first granted. For example, a customer signing up for an account with a charity should need to opt in to marketing emails and be able to easily access a way of unsubscribing from those emails at a later date. Next is legitimate interest where processing is necessary to allow the controller or a third party to process data for their own purposes as long as they don't override the interests or fundamental rights and freedoms of the natural person.

Skip to 1 minute and 58 secondsFor example, a professional body or trade body may perform analytics on numbers of their members for their regular reporting and business planning. Finally, we have vital interests, processing of data to protect the vital interests of the individual or another individual such as if there was a risk of harm. This would only be used as a last resort and often would be processing that would otherwise require consent. For example, finding an unconscious individual wearing a medical alert bracelet and telephoning the service to find out what condition the individual has to be able to provide the appropriate vital treatment.

Skip to 2 minutes and 37 secondsIt is important to remember that these legal bases for processing exist alongside the rights of the natural person that we will discuss this week. We will guide you through how they are intended to work with one another.

What are the six legal bases?

A legal basis is a situation in which an organisation is legally permitted to process data.

In this video we explore the legal bases for processing data about a natural person. We will refer back to these when reflecting on Alex’s case study.

GDPR has six legal bases in total. It is important to note that the six legal bases must be honoured when personal data is processed.

As we proceed through this week, we will look at the rights that GDPR gives to individuals like Alex regarding the processing of their personal data. We will consider these rights against the legal bases for processing data, and explore their compatibility.

The six legal bases that Nathan and Ross outline in this video are:

  • Performance of a contract
  • Legal obligation
  • Performance of a task in the public interest
  • Consent
  • Legitimate interest
  • Protect the vital interests of an individual
  • Your task

    Take a few minutes to think of an hypothetical situation which would satisfy one of the above legal bases. Share it with your peers in the comments below.

    Share this video:

    This video is from the free online course:

    Introduction to GDPR: General Data Protection Regulation

    UCL (University College London)