Skip to main content

GDPR

15 min read

Data Processing Under GDPR: 6 Lawful Bases for Businesses

By Safna January 9, 2025

Data Processing Under GDPR: 6 Lawful Bases for Businesses

With over half a decade under its belt, the General Data Protection Regulation still keeps the momentum going, driving transparency and accountability in data processing. It has transformed personal data handling from a careless practice into a precision-driven operation for businesses. 

Bookmark these insights to learn about the GDPR-approved grounds of personal data processing and bolster your compliance efforts.

What is GDPR data processing?

Contrary to assumptions, data processing involves more than just using personal data.

Data processing under GDPR refers to anything you do with personal data including its collection, sharing, disclosing, recording, using, organising, structuring, adapting, altering, retrieving, consulting, combining, restricting, deleting, or even destroying it.

How can I ensure my company’s data processing practices comply with GDPR regulations?

  • Carry out data mapping regularly.
  • Identify a lawful basis for processing personal data.
  • Align your data processing operations with data protection principles.
  • Implement technical and organisational measures to protect data.
  • Conduct Data Protection Impact Assessments (DPIAs) for personal data involving high risks if compromised.
  • Data controllers must ensure contractual relationships with data processors or service providers like a Data Processing Agreement (DPA).
  • Have mechanisms to fulfil data subject requests like access, rectification or erasure.
  • Appoint a Data Protection Officer, especially if your handle large amounts of personal data.
  • Provide a GDPR privacy policy to data subjects.
  • Data transfers out of the European Union or EEA member states must be based on adequacy decisions, Standard Contractual Clauses (SCC) or Binding Corporate Rules (BCR).
  • Businesses should document their privacy efforts to demonstrate their GDPR compliance. 

Why does GDPR-compliant data processing matter?

GDPR compliance should be among your top priorities while processing EU personal data. Here is why.

  • Legal compliance: GDPR-compliant data processing keeps you off of non-compliance litigations and similar complications.
  • Prevent heavy fines: Save millions of euros from leaving your bank account as non-compliance penalties. 
  • Build customer trust & Loyalty: As individuals are increasingly protective of their personal data, GDPR integration in your processing activities sets you apart as a trustworthy and reliable business partner, increasing customer confidence and loyalty.
  • Brand reputation: When a brand’s data protection strategies meet GDPR standards, it inherently portrays itself as a responsible one that values customer data, enhancing its reputation and differentiating from others.
  • Competitive edge in the marketplace: Clients, whether a business or an individual look for privacy-conscious organisations to partner with. By implementing GDPR-compliant data processing, a business not only aligns with these expectations but also increases its market position.
  • Minimise data breach risks: Integrating GDPR requirements into a company’s personal data handling helps seal any loopholes that can lead to data breaches like unauthorised access or data exfiltration.
  • Enables cross-border data transfers: The security principles of GDPR apply to data transfers too. Therefore, if your business processes the personal data of European residents from a different country, you should have adequate safeguards as prescribed by the law.

These measures not only facilitate international data transfers of personal data but also expand your business opportunities to the European region.

GDPR-compliant approaches for data processing: 6 lawful bases 

If you haven’t noticed already, the legal bases for processing and GDPR principles are dominant discussion points in data processing.

Consent is not the only valid ground to process personal data- It’s a GDPR myth.

These are closely aligned with other GDPR requirements like data minimisation, purpose limitation, storage limitation, honouring data subject rights, and data security measures.

Before you engage in the processing of personal data, pause and ask yourself these two questions:

  1. Can this data processing be backed by a lawful basis under GDPR?
  2. Which among the six lawful bases covers the processing?
Six lawful bases for processing
Six lawful bases for processing
Source: GDPR-info.eu

Here is what the six lawful bases of data processing mean for businesses.

#1 Consent

If there were a vote on the most popular lawful basis, consent would probably win. But, if you resort to a data subject’s consent as a ground for processing their personal data, there’s more to take care of.

The minimum age to consent is 16 years. However, member states have the flexibility to lower this threshold anywhere between 13 and 16 years.

What is valid consent?

Consent must be an affirmative act like ticking an unchecked box or signing a document and should satisfy the following requirements:

It should be freely given 

Business insight

Do not attempt to influence the user’s decisions such as by using dark patterns or by denying them a choice not to consent.

Consent must be specific and informed

Business insight

  • The consent obtained from the data subject must be tied to a specific purpose that is indicated to them at the time of data collection.
  • Give individuals the opportunity to consent separately to different purposes (granular consent) instead of asking for general consent.

Cookie banner by CookieYes giving website visitors granular consent options for different types of cookies
Cookie banner by CookieYes giving website visitors granular consent options for different types of cookies

Unambiguous

Ensure that the data subjects know what they are consenting to. When seeking consent, be sure that the language and purposes are clear.

Business insight

Wrong example: 

 “Sign up to get the latest updates” 

Corrected example:

Sign up using your email address and first name to get our monthly newsletter featuring recent developments in the privacy world ” followed by an explicit consent statement.

CookieLaw Info news letter sign up form
Cookie Law Info newsletter sign-up form

Ready for cookie compliance?

Join 1M+ websites trusting CookieYes CMP to streamline your cookie compliance

14-day free trialBeginner friendlyCancel anytime

#2 Contract

  • Businesses are allowed to handle personal data when it is essential for entering into or carrying out a contract with the data subject.
  • A contract between the data controller and any third party is not a valid ground to use the contract as a lawful basis as there is no direct contract with the data subject.
  • Simply having a connection between the purpose of the processing and the contract is not enough; it must be essential for performing it or initiating it.
  • Contract as a legal basis does not apply if you can perform the contract without processing personal data. 
  • Businesses can also process data to facilitate a contract at the data subject’s request. For example, when an individual provides his address to check if a delivery can be made there.
  • Unsolicited marketing attempts do not qualify as necessary to initiate a contract.
  • It is not necessary to specify every detail of processing in the contract. However, the data controller should comply with the GDPR transparency obligations. 

#3 Legal obligations

  • GDPR allows organisations to process personal data if it is necessary to fulfil a legal obligation.
  • Controllers should only process personal data if they are unable to comply with the law by alternate means.
  • The legal obligation can be under a union law, member state law or common law.
  • It need not only be limited to acts by parliament but can also be extended to statutory instruments.
  • The types of data and the purposes of processing should not be more than what is enough to comply with the obligation.
  • Controllers must identify the specific provisions of the law from which the legal obligation stems.
  • The law’s application to data processing should be foreseeable to the data subject.
  • A legal obligation can be a lawful basis for more than one processing activity as long as they are necessary to comply with it.

#4 Vital interests

  • Vital interest as a lawful basis primarily applies when data processing is necessary to protect someone’s life or address a significant threat or risk.
  • Vital interest means interests essential to an individual’s life such as when a hospital accessing a patient’s health history when brought in unconscious.
  • It is mostly used as a last resort when no other basis fits in and on humanitarian grounds.
  • It does not generally apply to all health data processing except for emergencies to protect vital interests.
  • For special categories of data such as health data, vital interests are appropriate only if the data subject is incapable of giving consent.
  • Record exactly how the processing is essential to protect one’s vital interest and such data collection should be kept to the minimum.

#5 Public tasks

  • It relates to the data processing activities necessary to perform tasks benefitting society, mostly carried out by official authorities.
  • This can be used for two circumstances- To perform a task in the public interest or in the exercise of an official authority. Example- public healthcare services. 
  • Such processing should be grounded on relevant union or state laws.
  • The law specifies that public authorities cannot use legitimate interests as a ground for processing when performing official tasks. Instead, they must rely on public tasks.
  • Even private controllers can use the fifth basis if processing data under official authority, such as organisations managing public infrastructure projects for verification and identification purposes.
  • Criminal conviction records can only be processed by official authorities or as authorised by law.

#6 Legitimate interest

Legitimate interest is like a Swiss army knife of legal bases- It covers an extensive range of processing operations, offering flexibility while still requiring careful justification.

  • Legitimate interest may serve as a ground when none of the other legal bases can adequately justify the processing.
  • It is appropriate only when the personal data processing is:
    • Necessary for an organisation’s legitimate interests
    • Aligns with the individual’s reasonable expectations
    • Does not override their fundamental rights, privacy and freedom
  • Examples of legitimate interests of an organisation include fraud prevention, direct marketing, and security.
  • Public authorities can only use it for purposes outside their official tasks.
  • Data collection for legitimate purposes must align with the data minimisation principles.

FAQ on GDPR data processing 

Do GDPR data processing requirements affect my website?

Yes. Websites having visitors from European Union countries should implement cookie banners and provide a privacy and cookie policy to comply with GDPR. To streamline this process, businesses can integrate Consent Management Platforms and privacy policy generators. CookieYes offers both services in one unified platform, ensuring a seamless experience for your website visitors.

Can I use third-party vendors for data processing under GDPR?

You can hire data processors to handle personal data on your behalf, as long as they take proper steps to keep the data safe and private. To do this, you should have a Data Processing Agreement (DPA) in place.

What is the difference between a data controller and a data processor?

A data controller takes decisions about personal data and has general control over it whereas a data processor only processes it on behalf of the data controller.

Photo of Safna

Safna

Safna Y Yacoob is a lawyer turned data privacy writer. At CookieYes, she transforms complex privacy regulations into actionable insights for businesses. On off-hours, find her brightening days with one-liners, spinning playlists, or watching feel-good movies.

Keep reading

Featured image of 7 Steps to Enhance Compliance Management for Your Business

Privacy Laws

7 Steps to Enhance Compliance Management for Your Business

Have you thought about compliance as a growth driver? For most businesses, it is just …

Read more
Featured image of Cookiebot vs OneTrust vs CookieYes: Which One Is The Best?

Consent

Cookiebot vs OneTrust vs CookieYes: Which One Is The Best?

Our detailed comparison will explore features, pricing, and privacy compliance functionality, guiding you through the nuances of Cookiebot, Onetrust and CookieYes to find the one that best suits your business's consent management needs.

Read more
Featured image of Iubenda vs Osano vs CookieYes: Which One Is The Best?

Iubenda vs Osano vs CookieYes: Which One Is The Best?

Our detailed comparison will explore features, pricing, and privacy compliance functionality, guiding you through the nuances of Cookiebot, Iubenda, and CookieYes to find the one that best suits your business's consent management needs.

Read more

Show all articles