Carolyn Thurston Smith, policy executive at the Law Society of Scotland, explains the legal bases in article 6 of the General Data Protection Regulation (GDPR).

Article 6 of the GDPR sets out legal bases for processing of personal data. Data processing is only lawful if the controller has a legal basis for the particular processing activity taking place, so it may be lawful for the controller to use a particular set of data for one purpose but unlawful to use that same data in a different context.

Understanding Article 6 is key to understanding how the GDPR affects you.

What are the legal bases which can be used?

The possible grounds for processing are:

  • Consent
  • Performance of a contract to which the data subject is party, or to take steps prior to entering into a contract at the request of the data subject
  • Compliance with a legal obligation which the controller is bound to comply with
  • Protection of the vital interests of the data subject or another natural person
  • Performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  • Legitimate interests pursued by the controller or a third party

For the last of these there is an exception where the interests in question are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This basis also has restrictions on its use in the public sector.

Where the basis for processing is a legal obligation, or a task carried out in the public interest, or exercise of official authority, then the parameters will be determined by EU law or domestic law of the relevant member state.

What happens if the controller wants to process existing data for a new or different purpose?

In some cases a controller may wish to use data they hold already for a different purpose from the one for which it was originally collected.This is permitted in certain circumstances. Where the controller seeks to rely on a basis other than consent, or on EU or Member State law, the controller has to consider whether this other purpose is compatible with the original purpose, taking into account the following factors:

  • Any link between the original purpose and purposes of the intended further processing
  • The context in which the personal data was collected and relationship between the data subject and the data controller
  • The nature of the data
  • Possible consequences of further processing

As a rough rule of thumb, if the data subject would be surprised by the different purpose then it is probably incompatible.

These rules apply to all types of organisation from law firms and other businesses to public authorities. A particular processing action may be lawful on the basis of more than one of the conditions for processing outlined above. The most important thing is to consider that whatever processing you’re carrying out, you must have identified at least one legal basis to support that action.

Grey steps with a pair of legs climbing up


Our guide to data protection from the perspective of a legal practice