Lawful basis for processing personal data


This article is written in collaboration with a law agency. However, it is intended for general information purposes only. It does not constitute a client-attorney relationship or personalized legal advice.

In order to process personal data, you must have a legal ground for doing it. As a business or website owner, it’s likely that you’ll be able to use one of the following legal grounds:

1. The data subject has given consent to you for processing their personal data for a specific purpose
Example: the typical “Sign me up to the newsletter” checkbox. Read more about asking consent here.
Keep in mind that your customers have the right to withdraw any of their given consents at any time!

2. You need to process the data subject’s data for fulfilling or entering into a contract with them
Example: your customer buys something from you. In order to deliver it to them, you need to store and look up their name and address.

3. You are legally obliged to do something with the data
For example, in some EU countries you are obliged to store invoices for a certain time period. Invoices contain personal data, but even if your customer withdraws all consent they have given and asks you to delete all of their data, you might need to keep a copy of any invoices. Read more here.

4. You have legitimate interests for processing the data.

Practically this could be any interest that is in accordance with the law – it is interpreted in a very broad manner. However, the burden of proof lies with the controller/processor (you). Meaning you will have to show in a balancing test how your legitimate interest overrides data subject’s interests. Examples of processing activities that could be considered belonging under legitimate interest: video surveillance on private properties (if proportional); screening employee data to fight corruption; screening employee data on internet use to prohibit using work computers for private purposes etc.

In addition to these, there are two more legal grounds for processing personal data – however, they probably aren’t relevant in the context of a typical WordPress website.The legal grounds are:

  •  processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  •  processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

Keep in mind that if none of the above apply, data processing is not allowed. Read more about the legal grounds of processing in GDPR Art. 6.

Also note that for processing sensitive data, some special rules apply – read more in GDPR Art. 9.

Maarja Lehemets

Lawyer @ Triniti