+45 45 34 44 00
Need a penetration test?
Contact us for a no-obligation conversation about your security needs.
Contact us15. Legal Basis
Processing of personal data must be based on one of the “legal bases” mentioned in Article 6 of GDPR. The legal basis for a processing acts as a justification for why the processing takes place. The choice of legal basis has a direct influence on how the processing must be implemented, as well as on the data subjects’ rights. Therefore, it is advantageous to take the legal basis into account already before the development phase, so the necessary features can be integrated to ensure compliance with legislation and respect for the data subjects’ rights.
Definition of Legal Bases in GDPR
When development is done for a private organization (companies, associations, etc.), the following legal bases are often used:
- Contract: Processing is necessary to fulfill or prepare a contract between the data subject and the data controller.
- Legitimate interest: The organization has a “legitimate” interest in performing the processing, and this does not negatively affect the data subject’s rights and freedoms.
- Consent: The data subject has given their explicit consent to the processing.
If you are a public authority or perform tasks in the public interest, other legal bases may also be used:
- Legal obligation: Processing is required by legislation or regulations.
- Public interest: Processing is necessary to perform a task in society’s interest.
Finally, protection of vital interests can in special cases be used as a basis, e.g., for processing necessary to monitor the spread of epidemics or in humanitarian emergencies.
Choose the Appropriate Legal Basis
Check on CNIL’s website whether there are specific rules that affect your choice (e.g., regarding cookies and trackers).
One legal basis must be chosen per purpose – it is not permitted to combine multiple bases for the same purpose. If a processing serves multiple purposes, a legal basis must be chosen for each of them.
If you are a public authority, legal obligation or public interest will most often be the most relevant bases.
If processing occurs as part of a contractual relationship and is objectively necessary to deliver a service (e.g., name, address, and email to create a user account on an e-commerce platform), contract is the appropriate basis.
If processing does not occur within a contractual relationship, consent or legitimate interest may be relevant bases. If processing is potentially intrusive (profiling, collection of geolocation data, etc.), consent will most often be the appropriate basis.
If processing includes sensitive information (health information, sexual orientation, etc.), an exception must also be identified under Article 9 of GDPR – in addition to the legal basis.
Exercise of Rights and Information Requirements Depending on Legal Basis
- The table below summarizes which rights apply depending on the chosen legal basis:
| Right of access | Right to rectification | Right to deletion | Right to restriction of processing | Right to data portability | Right to object | |
|---|---|---|---|---|---|---|
| Consent | ✔ | ✔ | ✔ | ✔ | ✔ | Withdrawal of consent |
| Contract | ✔ | ✔ | ✔ | ✔ | ✔ | ✘ |
| Legitimate interest | ✔ | ✔ | ✔ | ✔ | ✘ | ✔ |
| Legal obligation | ✔ | ✔ | ✘ | ✔ | ✘ | ✘ |
| Public interest | ✔ | ✔ | ✘ | ✔ | ✘ | ✔ |
| Protection of vital interests | ✔ | ✔ | ✔ | ✔ | ✘ | ✘ |
The legal basis must always be stated in the information provided to the data subject.
If processing is based on legitimate interest, it must also be specified which interest is being pursued (e.g., combating fraud, system security, etc.).
It is recommended to document the choice of legal basis. This can for example be recorded in a processing overview or stated in the technical documentation.
The Specific Case: Cookies and Other Trackers
According to the EU ePrivacy Directive, the user’s consent must be obtained before information is stored – via cookies, identifiers, or other trackers (e.g., software fingerprints, pixels) – or before information already stored on the user’s device is accessed.
However, there is an exception if cookies are used solely to carry out electronic communication or are strictly necessary to deliver a service requested by the user.
Furthermore, the use of one tracker for multiple purposes does not exempt from the consent requirement for the purposes where this is necessary. If an authentication cookie is also used for targeted advertising, for example, consent must be obtained for this purpose, just as on a non-logged page.