Overview

This article establishes the legal bases for processing personal data under GDPR. Personal data must be processed lawfully based on one or more of the recognized grounds: consent, contract, legal obligation, vital interests, public task, or legitimate interests. Safeguards must be applied for any further processing beyond the original purpose.

Key Principles

  • Consent: Processing is lawful when the data subject has given clear and informed consent.

  • Contractual Necessity: Processing required to fulfill a contract with the data subject.

  • Legal Obligation: Processing required to comply with a legal requirement.

  • Vital Interests: Processing necessary to protect the life of the data subject or another individual.

  • Public Task: Processing required to perform a task carried out in the public interest or official authority.

  • Legitimate Interests: Processing necessary for legitimate purposes, balanced against data subject rights.

  • Purpose Limitation: Any further processing must have appropriate safeguards.

Organizational Applicability

This article applies to all organizations that process personal data, provided the processing falls within the EU’s jurisdiction:

  • Organizations determining the legal basis for processing personal data of EU/EEA individuals.

  • Public and private sector entities acting as controllers or processors.

  • Teams responsible for contracts, compliance, legal obligations, or data governance.

Implementation Requirements

  • Identify and document the legal basis for each processing activity.

  • Implement policies and procedures to ensure lawful processing.

  • Apply safeguards when processing personal data for new or secondary purposes.

  • Maintain records demonstrating the basis for processing and related decisions.

Implementation Guidance

  • Maintain a Record of Processing Activities (RoPA) that specifies the legal basis for each activity.

  • Ensure consent is obtained and documented where applicable.

  • Review contracts, legal obligations, and organizational purposes to verify processing legality.

  • Conduct periodic assessments to confirm continued compliance with lawful processing requirements.

Periodic Review

  • Frequency: Annually or whenever processing activities or legal requirements change.

  • Responsible Role: Data Protection Officer (DPO) or Compliance Team.

  • Outcome: Ensure all processing remains lawful and properly documented.

Non-Compliance Risks

  • Fines: Up to €20 million or 4% of global annual turnover.

  • Legal Exposure: Regulatory actions or enforcement notices.

  • Reputational Damage: Loss of trust and credibility with customers, partners, and regulators.

  • Operational Risk: Inability to lawfully continue processing personal data.