top of page

Legality of personal data processing: the different legal bases

Updated: Mar 15

Article 6 of the GDPR is truly the article at the heart of personal data protection, since it establishes the lawfulness of data processing. It is a pillar of accountability for businesses and organisations. The lawfulness of personal data processing corresponds to its legal basis: it will justify and legitimise the data processing carried out by the organisation (private company or public body).

Liceité traitements des données
Photo by Tingey Injury Law Firm on Unsplash

In another words, a legal basis is the legal basis that authorises us to process such and such data. It is important to remember that the first step in justifying the processing of personal data by a legal basis is to ensure that the collection, use or manipulation of this data is necessary. For example, personal data cannot be processed without a specific purpose (this was the whole point of the previous article).

It is up to the data controller to determine the appropriate legal basis, the situation and the data processing concerned, with the advice and recommendations of its DPO.

There are 6 legal bases set out in Article 6 of the GDPR. This means that you can legally collect personal data if you are able to justify it on one of these bases set out below.


This principle was already enshrined in the Data Protection Act, but the GDPR has reinforced it. To be legal, consent must be free, specific, informed and unambiguous. Obtaining the consent of individuals authorises the processing of their data by data controllers, but consent does not have to be obtained in all situations.

In practice, consent is only required in a few cases.

There are, however, some data processing operations for which a request for consent is mandatory. The placing of cookies by a website, the collection of personal information via an online form, the transfer of image rights, commercial canvassing, etc. are all data processing operations for which consent must be obtained.

Execution of a contract

This applies to processing carried out by private bodies as part of a contractual relationship with the data subjects. This legal basis may also apply to public bodies where no other basis seems more appropriate.

The conditions for basing processing on this legal basis are as follows:

  • There is a contractual or pre-contractual relationship between the data controller and the data subject.

  • The contract is valid under the applicable law.

For example, when your company contracts with a customer to provide a service or deliver a product, you are bound by a contract with that person. In order for you to be able to honour your part of the contract and carry out your billing, certain personal data has been communicated to you, in particular so that the person concerned can obtain what they contracted for with your company. The mere need to fulfil a contract is therefore sufficient to justify data processing.

Compliance with a legal obligation

When the law requires you to do so, you have no choice but to process personal data. This obligation may apply to both private companies and public bodies. In order to base data processing on this legal basis, it is necessary for the processing to meet 4 cumulative conditions, according to the CNIL:

  • This legal obligation must be defined in European law or in the national law of the State to which the data controller is subject.

  • These legal provisions must establish a mandatory obligation to process personal data that is sufficiently clear and precise.

  • These provisions must at least define the purposes of the processing concerned.

  • This obligation must be imposed on the controller, and not on the data subjects concerned by the processing. [1]

For example, when you recruit a new employee or agent, you are obliged to declare them to the social security authorities.

Protecting vital interests

This legal basis is specific to certain very specific cases. It stipulates that data may be processed when it is necessary to protect the vital interests of the data subject or another individual.

For example, a hospital may process medical data and consult a patient's file in order to provide emergency care.

This legal basis is difficult for a company to apply.

The performance of a task in the public interest or the exercise of public authority

This legal basis primarily concerns public bodies. Private bodies may be concerned if they pursue a mission in the public interest or are endowed with prerogatives of public authority.

For example, the processing of data relating to public transport users for the purposes of demographic statistics and adding more buses.

Legitimate interest

This legal basis does not have a definition as such, nor is there an exhaustive list of legitimate interests. Legitimate interests must be based on common sense. According to the CNIL, it is envisaged for data processing as: "aimed at guaranteeing the security of the network and information, implemented for fraud prevention purposes, necessary for commercial prospecting operations with a company's customers, concerning customers or employees within a group of companies for internal administrative management purposes".

A company or organisation may rely on its legitimate interest if the following three conditions are met: "The interest is manifestly lawful under the law, it is determined in a sufficiently clear and precise manner and it is real and present for the body concerned, it's non-fictive". Care must be taken with this legal basis: it is forbidden to go against the rights and interests of the people whose data is being processed. It is essential to balance the rights and interests of the data subject against your interests, or at least those of your company.

An example of a legitimate interest would be the collection of data as part of the development of its commercial activity. When you are not bound by a contract with a prospect, you would have a legitimate interest in collecting their email address in order to contact them again for prospecting purposes.

To conclude

Of these six bases, the protection of vital interests or the performance of a task in the public interest (or the exercise of public authority) are only applicable in very specific cases. They are very rarely adapted to the processing of personal data by private companies.

The 4 legal bases that could be used by companies to justify their data processing are essentially: consent, performance of a contract, compliance with a legal obligation and legitimate interest.

It will therefore be necessary to choose the legal basis carefully, but above all, it is essential to choose only one.

The legal basis is the legal basis that allows companies and public bodies to collect and process personal data.

Article 6 thus provides clear and explicit legal bases, protecting individuals against potential abuses and violations of their privacy. In this way, it is not permitted to collect any data whatsoever if such processing is not clearly justified by one of the legal bases listed above.


Related blog posts:


Did you enjoy this blog post?

Find more content related to cybersecurity and GDPR regulatory compliance on the CyberSecura blog!


Find out more about our outsourced timeshare DPO services!


We need your answers!

By completing this survey, you will help us to better understand your interactions with our site and your potential needs.

Your answers are anonymous, and unless you ask to be contacted again by our teams, no personal information will be asked of you!

Thank you for your responses!


Would you like to be informed of our news and receive our latest blog articles directly in your mailbox? Subscribe to our monthly newsletter!

licéité traitements de données personnelles

Would you like to discuss your difficulties, your needs, our offers? Ask to be contacted, free of charge and without obligation, by one of our cybersecurity experts!




Los comentarios se han desactivado.
bottom of page