As we mentioned in the previous topic (“Am I allowed to process personal data?”), one of the most important topics when processing personal data is to have legal grounds — essentially, a legal reason why it is permitted to process the data.

For this topic, we will stay within the EU context and use the GDPR as our reference.

According to the GDPR, at least one of the following conditions must apply; otherwise, the processing is illegal. For a controller (a person or company deciding how and why data is processed), this means that when designing a new processing activity, they must know which legal grounds apply and transparently inform data subjects (in a Privacy Notice). They must also keep a record of the processing activity in their Records of Processing Activities (RoPA).

Please note: there is no single legal basis covering all processing activities carried out by a company — different processing operations usually rely on different legal bases.

Also, within what might look like a single processing activity, multiple legal grounds may apply to different categories of data.

Let’s look at the potential legal bases for processing:

1. Performance of a contract

Processing is necessary for the performance of a contract to which the data subject is a party. This also covers the “pre-contractual” period, when data is collected in preparation for entering into a contract.

“Contract” may sound like a formal legal document, but it is not always a signed piece of paper. Examples include:

A company processing personal data of its employees. It needs information such as name, address, and bank account number to pay salaries. The relevant contract here is the employment contract.

An online shop processing customer orders. It needs information such as name and delivery address to deliver the goods. The contract here is the purchase agreement.

2. Consent

You may wonder why consent is not listed first — even though it appears first in GDPR Article 6.

Consent is a common legal basis for processing (and in some cases irreplaceable). It means asking a data subject if they agree to the processing of their personal data.

However, consent must meet several strict requirements. It must be:

Freely given — voluntary and not forced. You cannot make access to a service conditional on accepting unrelated data processing.

Specific — tied to a particular purpose and data type. The individual must know exactly what data is collected and for what purpose.

Informed — provided in clear, plain language, including information on purposes, rights, and withdrawal.

Unambiguous — requires a clear affirmative action (e.g., ticking a box). Silence or pre-ticked boxes are not valid.

Withdrawable — individuals must be able to withdraw consent easily at any time, without penalty.

Example: In an online shop, consent applies to marketing activities (such as newsletters or personalization). Customers have a voluntary choice — “Do you want newsletters and personalization? Yes/No.” But even if they say no, the shop can still process their name and address to deliver the goods, because that is based on contract performance.

If a customer later withdraws consent for personalization, the shop does not need (and basically is not allowed to) to delete all of their data. It may still keep order-related data for the required retention period (e.g., warranty claims).

3. Legitimate interest

Processing may be based on the legitimate interests of the controller or a third party, provided that these interests are not overridden by the rights and freedoms of the data subject. This ground should be used cautiously, particularly where individuals might reasonably object or where children are involved.

When using this ground, organizations should perform a Legitimate Interest Assessment (LIA) to balance their interest against the individual’s rights.

Examples include:

• CCTV for security of people or property

• Fraud prevention

• Network and IT security

4. Legal obligation

Processing may be necessary to comply with a legal obligation. In this case, the rules are usually clear: what data must be kept, how long it must be kept, and for what purpose. However, this data cannot be used for purposes beyond what the law requires.

Example:

An employer must keep employee records (e.g., name, address, social security number, employment details) for a legally defined period (which varies by country, often 30–45 years) for social security and tax authorities.

5. Vital interest

This ground is rarely used. It applies in life-or-death situations where processing is necessary to protect someone’s life or health.

Example:

First responders sharing personal data with a hospital in an emergency.

The key point: it applies only in unavoidable situations and only to the extent strictly necessary.

6. Public task

The last legal basis according to GDPR.

This basis applies when processing is necessary to perform a task carried out in the public interest or in the exercise of official authority. In the business context, this is uncommon.

Example:

A municipal authority processing citizens’ personal data within a population register.

What are key reminders?

In standard business world, legal basis are usually performance of contract, consent, legitimate interest or legal obligation.

Legal grounds are not permanent. An online shop may process data to fulfill an order, but it can only keep the data for as long as legally necessary (e.g., the warranty period).

Assess each data type separately. For instance, you might process a customer’s age for marketing with their consent, but you cannot process their social security number for marketing purposes.