AI Summarize

Share

Consent is the most visible legal basis under GDPR, but it's also one of the most misused. Many companies rely on consent for all types of data processing, only to discover they've made their compliance harder, or illegal.

You need to have a lawful basis for collecting or using personal data belonging to individuals in the European Union (EU). Many organizations use consent as their legal basis, but consent may not be appropriate in all situations.

This article explains why you need a legal basis for processing (using) personal data, what the legal bases are, whether you can use consent as a catch-all legal basis, how to figure out which legal basis you should rely on, and how to inform individuals about your lawful basis.



Personal data is information that can be used to identify an individual, such as names, email addresses, ID numbers, and financial data.

The General Data Protection Regulation (GDPR) is an EU privacy law that outlines how organizations must treat personal data.

The GDPR applies to:

  • Individuals and organizations that process personal data belonging to individuals in the EU 
  • Entities based outside of the EU that offer goods or services to EU residents
  • Organizations based outside of the EU that monitor the behavior of EU residents

The GDPR requires applicable organizations to limit the data they process to what is necessary, inform users about their data processing activities, and have a valid legal basis for processing personal data, among other requirements.

Failure to comply with the GDPR can result in penalties of up to the higher amount of €20 million or 4% of global revenue.

What are the Lawful Bases for Data Processing?

Organizations must identify at least one legal basis before processing personal data.

These are the six legal bases for processing data under the GDPR:

  1. The data subject (the individual to whom the data belongs) consents to the processing of their data for a specific purpose (or purposes).
  2. The processing is necessary to prepare a contract (as requested by the data subject) or to fulfill a contract.
  3. The processing is required by law.
  4. The processing is necessary to protect someone's life.
  5. The processing is required to exercise a task carried out in the public interest.
  6. The processing is needed to fulfill a party's legitimate interests (as long as the data subjects' rights and freedoms don't override those interests).

Article 6 of the GDPR outlines the legal bases for data processing, including consent, contract fulfillment, and legitimate interests.

Illustration of the GDPR legal bases for data processing from GDPR Article 6

Once you have selected your lawful basis, you shouldn't change it without good reason. If consent is your legal basis, you typically can't change it to another basis.

For example, if you rely on user consent to process data but the data subject withdraws their consent, you can't just switch your legal basis to legitimate interests. You should stop processing the data, conduct a Legitimate Interests Assessment (LIA) to ensure that processing the data under the legitimate interests basis is justified, and notify the data subject of the change.

You can't use consent as a catch-all legal basis. You should only use consent when it is necessary and makes sense to do so, such as when you want to collect contact info to send marketing emails or texts to consumers or when you want to store cookies on users' devices.

If another legal basis is more suitable-such as when you need to process data to fulfill a contract or if processing is based on your or a third party's legitimate interests-you shouldn't use consent as your lawful basis.

It's important to remember that whichever legal basis you choose, the data processing must be necessary and you must inform data subjects of how you intend to use their data. If you can achieve your objectives without processing personal data, the legal basis won't apply.

Next, let's take a look at when getting user consent for processing personal data is appropriate vs. when another legal basis may be more justified.

The legal basis you use depends on your reasons for processing personal data. There are situations where more than one legal basis may apply, but you need to avoid using one legal basis across the board.

Many businesses use legitimate interests as their lawful basis due to its flexibility, but it's important to take into account factors such as the potential risk the processing poses to the data subject, the power dynamics at play, and whether the individual would reasonably expect their data to be processed for your purposes when deciding between consent and legitimate interests.

Considering the following questions can help you determine whether consent or legitimate interests is the most appropriate legal basis for your situation:

  • Who benefits from the data processing?
  • Would individuals have a reasonable expectation that their data would be processed?
  • What is your relationship to the individual and do you have power over them?
  • How would the processing impact the individual?
  • Is it likely that individuals may object to their data being processed?
  • Can you stop processing the data upon request?

Here's an overview:

Legal Basis When to Use Requires Consent? Notes
Consent Marketing, cookies, sensitive data Yes Must be informed, specific
Contract Purchase, quote, subscription No Only if contract exists
Legitimate Interest Fraud prevention, analytics, CRM No Requires LIA + balancing test

Let's take a look at when you may want to use consent, legitimate interests, and contract as your legal basis.

You can use consent as your lawful basis in situations where you want to give individuals control over whether or not you process their data. You will also want to get consent if you plan on using individuals' data for purposes they wouldn't reasonably expect.

Data processing activities where it might make the most sense to use consent as your legal basis for processing data include:

  • Email or SMS marketing
  • Targeted advertising
  • When using cookies or similar tracking technology
  • When processing sensitive personal data (a special category of data that includes race, religious beliefs, and health information)
  • When you want to share the data with third parties
  • When you want to use the data in a way the data subject wouldn't reasonably expect
  • If you want to process data in a way that is incompatible with your original purpose

For consent to be valid, it must be freely given, informed, and require affirmative action, and data subjects need to be able to withdraw their consent at any time. It must be given for specific purposes and cannot be required as a condition for receiving a service. If you are processing data for multiple purposes, you need to get separate consent for each purpose.

Article 7 of the GDPR lists the conditions that data controllers (those who make decisions about how and why to process data) must meet to obtain valid consent, including providing a way for data subjects to withdraw their consent and ensuring consent isn't required to receive services.

Depiction of conditions required to obtain valid consent through data processing from GDPR Article 7

You will need a consent mechanism to obtain and record consent. Many organizations use a statement that the user agrees to their Privacy Policy and/or Terms and Conditions agreement next to a checkbox that they must tick before their data is processed.

A Privacy Policy is a document that explains how you handle personal information and how users can exercise their privacy rights, while a Terms and Conditions agreement lists the rules and responsibilities users must agree to in order to use your services.

Users who want to sign up for a Kroger account must tick a box next to a statement that they agree to its Terms and Conditions agreement and-if they are a Colorado or California resident-consent to its program terms.

Screenshot of Kroger's account sign-up form with checkbox to indicate agreement to its terms and conditions

When to Use Contract Fulfillment as Your Lawful Basis

You can use this legal basis when you have (or intend to have) a contract with an individual and need to process data to either carry out the contract or execute a contract-related request from the individual.

Situations in which you might want to use contract fulfillment as your lawful basis for processing data include:

  • Fulfilling a quote request
  • Processing payment details
  • Confirming or shipping an online order
  • Completing a booking

If your data processing involves a contract, you'll likely want to use the contract basis. However, even in situations involving a contract, you need to consider all the details involved in your data processing before selecting a legal basis.

For instance, if you need to process the data to provide a requested quote and for fraud prevention purposes, you may want to use both the contract and legitimate interests bases.

The London Zoo's Privacy Policy lets users know that it may process their data to satisfy a contract they have entered into in addition to processing data under the consent and legitimate interests legal bases.

Screenshot of London Zoo's Privacy Policy mentioning its legal bases for data processing

When to Use Legitimate Interests as Your Lawful Basis

You can use legitimate interests as your lawful basis when data processing is necessary to fulfill your (or a third party's) legitimate business needs. This basis can only apply if the data subjects' rights and freedoms don't override your legitimate interests.

For example, if your data processing isn't required by law but benefits you or others, doesn't have much of an impact on the data subject's privacy, and is used in a way that the individual would reasonably expect, you may want to rely on legitimate interests as your lawful basis.

Purposes for which you can use legitimate interests as your lawful basis for processing data include:

  • Fraud prevention
  • Targeted advertising
  • Data security
  • Processing employee data
  • Direct marketing

Many businesses choose legitimate interests as their legal basis for processing data as it allows them to retain control over the processing.

If you decide to process data under the legitimate interests basis, you will need to:

  • Make sure the processing doesn't infringe on data subjects' rights and freedoms
  • Ensure the processing aligns with data subjects' reasonable expectations of how their data would be used
  • Be able to justify your processing (typically through an LIA)

You can use the United Kingdom's (UK) Information Commission Office's (ICO) sample LIA template to help determine whether the legitimate interests basis applies to your data processing.

Screenshot of the UK Information Commission Office's sample LIA template

To comply with the GDPR, you'll need to document your legal basis or bases and notify users about your reasons for processing their data.

Many businesses use a Privacy Policy to inform users about their legal bases for processing personal data.

Privacy Policies typically include the following clauses:

  • What kinds of information the business collects and processes
  • The business's reasons for processing personal data
  • Whether the business shares personal data with third parties
  • The categories of third parties the business shares data with
  • The lawful basis for the data processing
  • How the business keeps the data it processes secure
  • How individuals can exercise their privacy rights
  • How long the business retains data
  • The business's contact information

LinkedIn's Privacy Policy explains that it relies on consent, contract, and legitimate interests to process users' personal data.

Screenshot of LinkedIn's Privacy Policy section explaining their legal bases for data processing

You should provide an easily accessible link to your Privacy Policy at the point of data collection so that users can find out about your legal basis for processing their data.

Common places to put Privacy Policy links include:

  • Website footers
  • Checkout pages
  • Account log-in and sign-up pages
  • In-app menus
  • Consent banners

Northwest Bank includes a link to its Privacy Policy on its login page.

Screenshot of Northwest Bank's login page with a link to its Privacy Policy

Summary

The GDPR requires you to have a lawful basis for processing personal data belonging to individuals in the EU.

The six legal bases for processing personal data under the GDPR are:

  1. When you have consent to process the data for a specific purpose (or purposes)
  2. When the processing is necessary to prepare or fulfill a contract
  3. When the processing is necessary to fulfill a legal requirement
  4. When the processing is necessary to protect someone's life
  5. When the processing is necessary to perform a task in the public interest.
  6. When the processing is needed to fulfill a party's legitimate interests, as long as the data subjects' rights don't override those interests

You cannot use consent as a catch-all legal basis. The legal basis (or bases) you use should apply to your specific needs and data processing activities.

If you want to give individuals choices and control over how their data is processed it makes sense to use consent as your legal basis for processing personal data.

You can process personal data under the contract basis if the processing is necessary to fulfill a contract or needed to perform a contract-related request from an individual.

You can use legitimate interests as your legal basis for processing data if you have a legitimate business need that doesn't override the data subject's rights and freedoms, the processing would be reasonably expected by the data subject, and you can demonstrate that the data processing is necessary.

Whichever lawful basis you choose, you should use your Privacy Policy to notify individuals of your reasons for processing their data.

Privacy Policy Generator
The first step to compliance: A Privacy Policy.

Stay compliant with our agreements, policies, and consent banners — everything you need, all in one place.

Generate Privacy Policy