Legal bases from the GDPR explained

Each time you process personal data, this is an invasion of the privacy of the people concerned. That is why you are only allowed to process personal data if there is really no other way. Meaning: if you cannot achieve your purpose without these data.

This means that you must have a good reason to process personal data. The General Data Protection Regulation (GDPR) lists 6 reasons. The legal term for those reasons is legal bases. You therefore need a legal basis to be allowed to process personal data.

On this page

General information about the legal bases from the GDPR

You have to assess for yourself which legal basis applies to you. This is your own responsibility. The Dutch Data Protection Authority (Dutch DPA) cannot advise you on this. You determine the legal basis before you start processing personal data.

The 6 legal bases

The GDPR lists the following 6 legal bases for processing personal data:

  1. You have consent from the person concerned.
  2. Data processing is necessary for the performance of a contract.
  3. Data processing is necessary because you have a legal obligation to do so.
  4. Data processing is necessary for the protection of vital interests.
  5. Data processing is necessary for the performance of a task carried out in the public interest / in the exercise of official authority.
  6. Data processing is necessary for representing your legitimate interests.

Tip: state the legal basis

Do you have a legal basis for your processing? Then it is recommended that you state the legal basis in the following places:

  1. In your privacy statement. To ensure that the people whose data you process know why you are allowed to do this. And they are not confronted with surprises. This may help you meet your obligation to provide information.
  2. In your privacy policy (if you have one, because not every organisation is obliged to have a privacy policy in place). This may help you meet your duty of accountability.
  3. You may also want to include the legal basis in your processing register.

Also make sure that you can properly substantiate why you have opted for this legal basis.

Exception: special categories of personal data and criminal data

Note: These rules apply for ordinary personal data only. Do you want to process special categories of personal data? Such as data about someone's health? Or criminal data? That is prohibited. Unless you meet a number of strict requirements. Having a legal basis is not enough in such case.

Personal or domestic use

Processing of personal data purely for personal or domestic use is always permitted. This does not fall under the GDPR. In this case, you do not need a legal basis. For example:

Legal basis of consent 

One of the legal bases from the GDPR is that people have given consent for processing their personal data. The GDPR contains a number of requirements that such consent has to meet. Read more: Legal basis of consent.

Legal basis of contract

One of the legal bases in the GDPR is that processing of personal data is necessary for the performance of a contract. You may rely on this legal basis if you have a contract with someone and you are unable to perform that contract without processing personal data as well.

This legal basis also applies for the stage prior to the conclusion of a contract. For example: when you draw up a quotation on request.

Make sure that you do not process personal data that are not necessary for the performance of the contract. If you do so, you will need consent or another legal basis for processing such data. Unless it concerns a compatible further processing.

Guidelines on the legal basis of contract

For more information, see the Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects of the EDPB.

Legal basis of legal obligation

Is the personal data processing necessary for meeting a legal obligation? Then you can rely on this legal basis.

Examples
Example 1: You have an order from the police to pass on certain personal data to the police. 
Example 2: You pass on the amounts of the salaries of your employees to the Tax and Customs Administration for the implementation of the tax laws.

The law does not have to say explicitly that you have to process personal data for the performance of a specific task. Sometimes, the obligation has been formulated more broadly in the law. It is up to you then to determine whether processing of personal data is necessary for meeting your obligation.

Note: You cannot rely on this legal basis for processing operations that you - usually as a government - have to perform for the exercise of a statutory power or the performance of a statutory task that you have been charged with, such as maintaining public order. A specific legal basis applies for this case.

Legal basis of vital interest

You can rely on this legal basis in a few cases only.

There is a vital interest if it concerns an interest that is essential to someone's life or health. And you cannot ask that person for consent for processing personal data. For example, if there is an imminent danger, but someone is unconscious or mentally incapable of giving consent.

Example
If there is a large-scale disaster, aid must get underway immediately. In that situation, it is impossible to inform all persons concerned first and ask them for consent for processing their medical data.

Giving access to others

Do you want to give others access to the medical data that you process based on the legal basis of vital interests? This is only allowed if you cannot base the processing on any other legal basis.

Legal basis of public interest or official authority

Is processing necessary for the performance - usually as a government - of a task assigned to you by law? Or for the exercise of your statutory powers, such as granting a permit? Then you can rely on this legal basis. This concerns tasks and powers that have been assigned to your organisation by law.

It must also be clear for people that you process their personal data for the performance of that specific statutory task. In addition, the personal data processing must be necessary for the proper performance of your public duty.

Example
As a municipality, you decide that the parking spaces in a certain street are intended for the residents of that street only. These residents have to apply to you for a parking permit. In order to issue these permits, you have to process personal data of the residents.

Type of organisations

Sometimes, non-administrative bodies can also rely on this legal basis. Are you formally not an administrative body because you do not take decisions but only perform factual acts? In that case as well, you may have a statutory task for the performance of which personal data processing is necessary. In that case, you are permitted to rely on this legal basis for your processing.

However, you have to be designated to perform the task in question in legislation. This means that you cannot determine this yourself.

Legal basis of legitimate interest

To be permitted to rely on the legal basis 'necessary for representing a legitimate interest' for your processing, you have to meet 3 requirements. With these requirements you test if your right to process personal data – because you have a legitimate interest in doing so – outweighs the right of people to protection of their personal data.

The 3 requirements are:

  1. You actually have a legitimate interest. 
  2. Processing is necessary for representing this interest.
  3. You have weighed your interests against those of the data subjects.

Requirement 1: legitimate interest 

On October 4, 2024, the Court of Justice of the European Union ruled on the legal basis of legitimate interest. As a result, an important part of the explanation previously given by the Dutch DPA to the first condition for this basis is no longer current. 

The EDPB has issued guidelines on the legal basis of legitimate interest. A public consultation for this will run until November 20, 2024. The Dutch DPA will then consider whether additional explanation by the Dutch DPA is desirable.

Commonly mentioned legitimate interests are, for example:

  • combating fraud, swindling or other unlawful conduct;
  • protecting privacy;
  • complying with duties of care for employees and/or customers.

The interest that you have in this case must be:

  1. Real. This means that it may not concern a possible interest in the future, of which you are not yet certain.
  2. Concrete. This means that you can put the interest into clear wording.
  3. Direct. This means that it concerns an interest of your own, and therefore not a general interest, a ‘societal’ interest or something similar.

Do you not have a legitimate interest? Then you cannot rely on this legal basis for your processing.

Requirement 2: necessity

Do you actually have a legitimate interest? Then, as the next step, you have to see if the personal data processing is necessary for representing this interest. You do this by checking:

  • Whether the purpose of your processing is proportionate to the invasion of the privacy of the data subjects (‘proportionality’).
  • Whether you cannot achieve the purpose in any other way, which is less far-reaching for the data subjects (‘subsidiarity’).

Are you unable to meet both requirements? Then your processing is not necessary. And you therefore cannot rely on the legal basis of legitimate interest for your processing.

Requirement 3: weighing of interests

Do you have a legitimate interest and is the data processing necessary for representing this interest? Then you finally have to weigh up your interests and the interests of the data subjects.

When weighing up these interests, you look at:

  • The consequences for the data subjects.
  • How serious the invasion of the privacy of the data subjects is.
  • Which (additional) measures you have taken for preventing or mitigating undesirable consequences for the data subjects.
  • If the data subjects can more or less expect the processing.

Note: Do you want to process personal data of children (aged under 16)? Then your legitimate interest will not easily outweigh their rights and freedoms.

Your assessment may lead to 2 conclusions:

  • The interests of the data subjects appear to carry more weight. As a result, you cannot rely on the legal basis of legitimate interest for your processing. You are therefore not allowed to process the data.
  • Your interests carry more weight. As a result, you have a legal basis for processing personal data. You are therefore allowed to process the data.