We use cookies to give you a better experience. Carry on browsing if you're happy with this, or read our cookies policy for more information.

Skip main navigation

What are the six legal bases?

In this video, experts from UCL Consultants and PA Consulting explore the six legal bases for processing data under GDPR.
0.5
Let’s take a brief look at the legal bases for processing data about a natural person. A legal basis is a situation in which an organisation is legally permitted to process data. GDPR has six legal bases in total. The first is performance of a contract. This includes providing data before entering into a contract and then after processing data in accordance with that contract. For example, a potential customer calls an insurer for a car insurance quote and needs to give the organisation some personal data in order for it to provide the quote. As the data is provided to be able to create the contract, the legal basis is established regardless of whether the quote is accepted or not.
39.7
Next is a legal obligation, that is, to meet a legal or regulatory obligation of the data controller. It might include processing undertaken at behest of a court or processing undertaken to meet a regulatory requirement. For example, organisations are required by law to request diversity information from potential applicants and new employees, such as ethnicity and gender identity to meet statutory requirements. The third legal basis is the performance of a task in the public interest, including the exercise of official authority vested in the data controller. For example, a public health authority exchanging medical data during an epidemic. Next is consent.
81.1
And this means a clear, unambiguous, positive consent, given by the natural person without coercion, which can be withdrawn as easily as it was first granted. For example, a customer signing up for an account with a charity should need to opt in to marketing emails and be able to easily access a way of unsubscribing from those emails at a later date. Next is legitimate interest where processing is necessary to allow the controller or a third party to process data for their own purposes as long as they don’t override the interests or fundamental rights and freedoms of the natural person.
117.8
For example, a professional body or trade body may perform analytics on numbers of their members for their regular reporting and business planning. Finally, we have vital interests, processing of data to protect the vital interests of the individual or another individual such as if there was a risk of harm. This would only be used as a last resort and often would be processing that would otherwise require consent. For example, finding an unconscious individual wearing a medical alert bracelet and telephoning the service to find out what condition the individual has to be able to provide the appropriate vital treatment.
157.3
It is important to remember that these legal bases for processing exist alongside the rights of the natural person that we will discuss this week. We will guide you through how they are intended to work with one another.
A legal basis is a situation in which an organisation is legally permitted to process data.
In this video we explore the legal bases for processing data about a natural person. We will refer back to these when reflecting on Alex’s case study.
GDPR has six legal bases in total. It is important to note that the six legal bases must be honoured when personal data is processed.
As we proceed through this week, we will look at the rights that GDPR gives to individuals like Alex regarding the processing of their personal data. We will consider these rights against the legal bases for processing data, and explore their compatibility.
The six legal bases that Nathan and Ross outline in this video are:
  • Performance of a contract
  • Legal obligation
  • Performance of a task in the public interest
  • Consent
  • Legitimate interest
  • Protect the vital interests of an individual
  • Your task

    Take a few minutes to think of an hypothetical situation which would satisfy one of the above legal bases. Share it with your peers in the comments below.
    This article is from the free online

    Introduction to GDPR: General Data Protection Regulation

    Created by
    FutureLearn - Learning For Life

    Our purpose is to transform access to education.

    We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

    We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
    You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

    Learn more about how FutureLearn is transforming access to education