4 min

GDPR: 6 lawful ways to process personal data


Now that we’re just a couple of months away from the enforcement date of the General Data Protection Regulation 2016/679 of the European Parliament and the Council of 27 April 2016 (GDPR), companies, freelance professionals and public bodies need to adapt themselves to its legal requirements and principles, something which represents a significant challenge.

In the following post we look at the different principles laid out by the Regulation for the lawful processing of personal data.

This post is also available in Spanish.

    Table of contents

  1. With the individual’s unambiguous consent. 
  2. Contractual obligation.
  3. In the legitimate interest of the data controller.
  4. In the vital interests of the data subject.
  5. In the public interest.
  6. In compliance with legal obligations.


GDPR: In what situations is personal data processing allowed?

The lawfulness of data processing is regulated by Article 6 of the GDPR, which defines six different conditions that justify the processing of data:

  1. With the individual’s unambiguous consent   
  2. Contractual obligation
  3. In the legitimate interest of the data controller
  4. In the vital interests of the data subject
  5. In the public interest
  6. In compliance with legal obligations

As you can see, unambiguous consent is one of them, but not the only one.

“In order for processing to be lawful, personal data should be processed
on the basis of the consent of the data subject concerned
or some other legitimate basis, laid down by law.”
                                                                                                       Recital 40 GDPR

1. With the individual’s unambiguous consent   

Under the GDPR, one of the lawful ways to process the personal data of European Union residents is by obtaining the consent of the data subject, and it is the characteristics of this consent that are one of the main new features introduced by the Regulation.

The consent described in Article 4.11 of the Regulation consists of a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of their personal data, either by means of a statement or by a clear affirmative action.

What is required, therefore, is a positive action that leaves no room for doubt regarding the subject’s wishes. This means that the option of obtaining tacit consent for personal data processing is no longer available. Recital 32 of the Regulation clearly affirms that: “Silence, pre-ticked boxes or inactivity should not therefore constitute consent.”

The main problem posed by this new legal regulation is that consent previously obtained in one of these ways must be collected once again. In other words, if consent was obtained several years previously by means of a pre-ticked box, it will no longer be valid.

It is also important to highlight that if we want to process data related to health or to minors, it will be essential to expressly obtain explicit consent.

However, as we have previously mentioned, consent is not the only lawful basis for processing personal data.


2. Contractual obligation

This applies when the processing is related to the parties to a business, employment or administrative agreement and is required to maintain or fulfil the agreement.

For example, this could be the processing of an employee’s name, surname and photograph to produce a company ID card, as established by the Spanish Data Protection Agency in its guide for the citizen.

3. In the legitimate interest of the data controller

When the processing is necessary for compliance with a legal obligation of the data processor, as long as this is not overridden by the interests or rights and freedoms of the data subject, bearing in mind the reasonable expectations of the subject based on their relationship with the data controller.

Therefore, although the controller may process the data without having obtained consent in virtue of their legitimate interest, the subject may also impose their rights and freedoms by exercising their right of opposition.

We can see that among all these situations of lawful processing, the satisfaction of legitimate interests is the one that generates the most uncertainty as it can cover a wide range of concepts.

For this reason, Recitals 47 to 49 of the GDPR give examples of cases in which the legitimate interests of the processor may apply: prevention of fraud, transmitting data within a group of companies, and transmitting data to ensure network security.

Another example would be the use of what are known as “onboard cameras” on vehicles, for the purpose of recording images as legal evidence in the event of an accident.



4. In the vital interests of the data subject

In this case, the processing is necessary to protect the vital interests of the data subject or another physical person. Recital 46 gives examples of vital interests and public interest as those which require processing for humanitarian purposes (to control epidemics, for example) and situations of humanitarian emergencies, in particular in situations of natural and man-made disasters.

In the public interest

The processing is required for the purpose of fulfilling a mission carried out in the public interest or in the exercise of public powers conferred on the processor.

For example, schools may obtain a central sex offenders’ registry clearance certificate, which is required for everyone who works with minors.

In this regard, the GDPR stipulates that, both for the fulfilment of public interests and legal obligations, Member States may maintain or introduce more specific provisions for the purpose of adapting their regulations to the GDPR.

In compliance with legal obligations

It will not be necessary to obtain consent for processing personal data when this is required for the purpose of compliance with the legal obligations of the data processor who has collected the data.

For example, one of the legal obligations that electronic trust service providers such as Signaturit must comply with is to preserve data and documents for a period of 5 years in compliance with Article 25 of Law 34/2002, of 11 July, on information society and e-commerce services.


Companies, freelance workers and institutions that process personal data must justify the processing based on one of these six principles in order for it to be considered lawful. Identifying which principle applies to each personal data processing activity is an essential task in the process of adapting to the new GDPR.

To summarise, we can see that the new Regulation clearly sets out the six cases in which personal data processing is considered to be lawful, meaning that those responsible for data processing should analyse whether their processing is being carried out correctly or whether it needs to be adapted to the new conditions that will shortly be imposed.

This post is also available in Spanish.

New Call-to-action