In data protection terms a ‘legal basis’ (also referred to as a ‘lawful basis’ or ‘lawful reason’) means the legal justification for the processing of personal data. A valid legal basis is required in all cases if a data subject’s personal data are to be lawfully processed in line with data protection law. Under the GDPR, there are six possible legal bases for processing personal data, found in Article 6, namely: consent; contractual necessity; compliance with a legal obligation; protecting vital interests; performance of an official or public task; and legitimate interests (where the interest is not outweighed by the data subject’s). There is no hierarchy or preferred option within this list, but instead all processing of personal data should be based on the legal basis which is most appropriate in the specific circumstances of that processing. SMEs should be aware that there may be different legal bases applicable to different types of processing of the same personal data. It is important to note that ‘consent’, whilst perhaps the most well-known, is not the only legal basis for processing personal data – or even the most appropriate in many cases. Where consent is used, there are a number of special requirements for it to provide a valid legal basis for processing; it has to be specific, informed, and unambiguous, and it has to be freely given. It must always be possible to withdraw consent after it has been granted; once it is withdrawn, the personal data cannot be processed any further on the basis of consent.
Find out more about data protection basics: https://arc-rec-project.eu/wp-content/uploads/2021/01/ARC-GUIDANCE-Data-Protection-Basics-1.pdf
