What does lawful basis for processing mean in GDPR

06 July 2017

The term lawful basis for processing data is a pillar in the new general data protection regulation (GDPR) and consent is one of them. But what does it mean for your association?

Bing! Another boring newsletter, just appeared in your inbox. Before you delete it you check who sent it: "70% sale on tapestry - only 2 days left!".

Yeah, right, I bought some tapestries a few months back, but did you also asked to be contacted by the seller once a week for eternity?

You could instead turn the question around and: Does the seller have lawful basis to store and process my personal data? And which basis do they use to send me these boring newsletters?

What does lawful basis for processing data mean?

In GDPR the company must be able to prove and describe on which lawful basis they use to handle your personal information.

The company can use several types of legal grounds for processing, for example:

  • Your personal data is required to fulfil an agreement with you or they have a legal obligation to keep them.
  • The data is needed to protect your interests.
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

Another lawful basis is legitimate interest: where a legitimate interest is the basis for processing, the company must be able to provide an assessment of that legitimate interest a to show that the organisation properly considered the rights of the individual.

Sensitive information, such as membership in unions, ethnicity, sexual orientation and similar information can never be processed by legitimate interest.

Consent is always best

Legitimate interest is a very loose basis to use for processing and need to be interpreted on each occasion you use it. The consequences for not complying with GDPR are very severe.

That's why the safest lawful basis for processing is to have a consent with the individual. It can be as easy as a specific opt-in box for a newsletter when you purchase something online.

If we go back to that boring newsletter, you received before, the seller will starting from May 25 next year (when GDPR is enforced) - have to prove that you accepted that your details can be stored. And the seller must also be able to prove which lawful basis, they have for sending you that marketing newsletter.

Further more, the seller must make it super easy for you to cancel that newsletter.

The easiest way to avoid mistakes (and a hefty fine) in regards to managing consents is to use Konsento, a cloud based consent management tool.

with Konsento you can make sure to both comply with GDPR and make it really easy for your customers to manage their given consents. The data protection agency will be happy, but more iimportantly, your customers will be happy since they know that you highly regard their personal integrity.

Get Started Today!

Ensure and manage GDPR compliance - the easy way

Email us at