GDPR Fundamentals: Legal Basis for Processing

Author: kirkpatrickprice00

Description: Learn more at
The major principle of GDPR is to ensure that personal data is processed lawfully, fairly, and transparently. To follow this principle, Chapter 6 of the GDPR requires any organization processing personal data to have a valid legal basis for that processing activity. Think of these as scenarios in which it would be lawful to process data. The law provides six legal bases for processing:
Consent – The data subject has given content to the processing activity. Consent must be freely given, clear, and easy to withdraw, and the consent process itself must be very clear. Organizations need to be careful when choosing consent as their legal basis; it’s not a catch-all solution. The age of automatically-checked consent boxes is coming to an end through GDPR.  
Performance of a Contract – Self-explanatory, right? The processing activity is necessary to enter into or perform a contract with the data subject. If the processing activity does not relate to the terms of the contract, it needs to be covered by a different legal basis.
Legitimate Interest – This is a processing activity that a data subject would normally expect from an organization that it gives its personal data to do, like marketing activities. If legitimate interest is used as a legal basis for processing, the organization has to do a balancing test: is this processing activity necessary for the organization to function? Does the processing activity outweigh any risks to a data subject’s rights and freedoms?
Vital Interest – A rare processing activity that could be required to save someone’s life. This is most commonly seen in emergency medical care situations.
Legal Requirement – The processing activity is necessary for a legal obligation. This legal basis only applies to European Union or Member State law.
Public Interest – A processing activity that would occur by a government entity or an organization acting on behalf of a government entity.
Stay Connected

More Free Resources
White Papers:

About Us
KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to clients in more than 48 states, Canada, Asia, and Europe. The firm has over 13 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, PCI DSS, HIPAA, HITRUST CSF, GDPR, ISO 27001, FISMA, and CFPB frameworks.

For more about KirkpatrickPrice:
Contact us today: 800-770-2701