Openli logo

Easy introduction to GDPR - Lesson 7

Legal basis for processing

Before we can process personal data, we need to have a legal basis. In the GDPR, there are different legal bases for processing data; these include consent, contract legal obligation, and legitimate interest. But instead of lengthy legal definitions, we will look at the most relevant legal basis for private companies in a straightforward way.

Compliance school

What is GDPR? Video transcription

So the GDPR contains some really important principles. They're overarching. Those are the ones you need to have in place to have data about people. One of those really core principles is having a legal basis to process information. So what's a legal basis? Well, that is where you get some kind of permission to have the data.

There are different opportunities for you to have the data. One could be that you got consent from a user. Another one could be that you're legally obligated to have the data. That's for example, often relevant if we're talking about HR data or financial data. It is also because you might have a contract in place with a user.

You are, for example, the delivering goods. If you're a supermarket and you're sending out groceries to that user, well, you have a contract with that user because you need to deliver the goods. So, you get the email address so you can send the receipt. You also get their personal address, so you can actually take the car and go out and deliver those groceries.

That's because you're then honoring a contract. That's another legal basis. One of the more tricky and complicated ones are when we're talking about you having an interest that needs to be balanced with the user's interest; that is often used by other companies, but be prepared that it needs to be balanced. Meaning your interest in that data shouldn't overweigh also the interests of the user. Others could be that you also have an interest from a society perspective, but that's not that relevant for a lot of companies when we're talking about being a data controller and getting information from people.