Legal Basis for Processing
Introduction
Section titled “Introduction”Article 6 of the GDPR requires that all processing of personal data must have a lawful basis. Before processing any personal data, you must identify and document which legal basis applies to each processing activity.
The Six Legal Bases
Section titled “The Six Legal Bases”1. Consent
Section titled “1. Consent”Description: The individual has given clear consent for you to process their personal data for a specific purpose.
When to Use:
- Newsletter subscriptions
- Marketing communications
- Optional features or services
- Non-essential data collection
Requirements:
- Must be freely given, specific, informed, and unambiguous
- Clear affirmative action required (no pre-ticked boxes)
- Easy to withdraw as it was to give
- Separate from other terms and conditions
- Records of consent must be kept
Emily Helps Features:
- Consent management system
- Granular consent options
- Easy withdrawal mechanism
- Consent audit trail
- Timestamp and IP logging for consent events
Example: Parishioner opts in to receive weekly newsletter emails.
2. Contract
Section titled “2. Contract”Description: Processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
When to Use:
- Processing subscription payments
- Managing service accounts
- Fulfilling contractual obligations
- Pre-contractual steps at individual’s request
Requirements:
- Processing must be objectively necessary
- Must be part of the contract or pre-contractual steps
- Cannot be used as a substitute for other bases
Emily Helps Features:
- Contract management
- Service agreement tracking
- Account administration
Example: Processing payment information for a paid service subscription.
3. Legal Obligation
Section titled “3. Legal Obligation”Description: Processing is necessary for you to comply with the law (not including contractual obligations).
When to Use:
- Tax reporting requirements
- Legal record-keeping obligations
- Responding to court orders
- Compliance with employment law
- Safeguarding obligations
Requirements:
- Must be a legal obligation under EU or Member State law
- Processing must be necessary to comply
- Document the specific legal obligation
Emily Helps Features:
- Compliance tracking
- Mandatory field indicators
- Legal hold capabilities
- Audit trail for regulatory compliance
Example: Retaining financial records for tax compliance purposes.
4. Vital Interests
Section titled “4. Vital Interests”Description: Processing is necessary to protect someone’s life.
When to Use:
- Medical emergencies
- Life-threatening situations
- Child protection scenarios
- Safeguarding emergencies
Requirements:
- Only when strictly necessary to protect life
- Limited to emergency situations
- Other legal bases don’t apply
- Rarely applicable in normal operations
Emily Helps Features:
- Emergency contact information
- Medical alert fields
- Safeguarding incident reporting
Example: Sharing medical information with emergency services during a crisis.
5. Public Task
Section titled “5. Public Task”Description: Processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
When to Use:
- Public authorities performing statutory functions
- Organizations exercising official authority
- Tasks carried out in the public interest
- Functions set out in law
Requirements:
- Must be performing a public task or exercising official authority
- Clear basis in law for the task
- Processing must be necessary for the task
- Document the specific public task or function
Emily Helps Features:
- Parish register management
- Sacramental records
- Church census data
- Canonical obligations
Example: Maintaining baptismal registers as required by canon law.
6. Legitimate Interests
Section titled “6. Legitimate Interests”Description: Processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
When to Use:
- Day-to-day parish operations
- Fraud prevention
- Network and information security
- Internal administrative purposes
- Direct marketing (with right to object)
Requirements:
- Identify the legitimate interest
- Show processing is necessary
- Balance against individual’s rights (Legitimate Interest Assessment)
- Cannot be used by public authorities for their official tasks
Emily Helps Features:
- Legitimate Interest Assessment (LIA) templates
- Balancing test documentation
- Right to object mechanism
- Processing justification records
Example: Keeping contact information for registered parishioners for church communications.
Choosing the Right Legal Basis
Section titled “Choosing the Right Legal Basis”Decision Framework
Section titled “Decision Framework”graph TD
A[Need to Process Data] --> B{Is consent most appropriate?}
B -->|Yes| C[Use Consent]
B -->|No| D{Required by contract?}
D -->|Yes| E[Use Contract]
D -->|No| F{Legal obligation?}
F -->|Yes| G[Use Legal Obligation]
F -->|No| H{Protecting life?}
H -->|Yes| I[Use Vital Interests]
H -->|No| J{Public task?}
J -->|Yes| K[Use Public Task]
J -->|No| L[Use Legitimate Interests]
L --> M[Conduct LIA]
Important Considerations
Section titled “Important Considerations”- Choose Carefully: Once you’ve chosen a legal basis, it can be difficult to change
- Document Your Choice: Record why you selected each legal basis
- Multiple Bases: Different legal bases may apply to different purposes
- Review Regularly: Legal bases should be reviewed periodically
- Inform Data Subjects: Privacy notices must explain the legal basis
Special Categories of Personal Data
Section titled “Special Categories of Personal Data”Higher Standard Required
Section titled “Higher Standard Required”Special category data (Article 9) includes:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data (for identification)
- Health data
- Sex life or sexual orientation
Additional Legal Basis Required
Section titled “Additional Legal Basis Required”For special category data, you need:
- An Article 6 legal basis (as above), AND
- An Article 9 condition, such as:
- Explicit consent
- Employment, social security, or social protection law
- Vital interests (when individual cannot give consent)
- Legitimate activities with appropriate safeguards by certain non-profit organizations
- Data manifestly made public by the individual
- Legal claims
- Substantial public interest
- Health or social care purposes
- Public health purposes
- Archiving, research, or statistical purposes
Church Context
Section titled “Church Context”Religious organizations have specific provisions under Article 9(2)(d) for processing special category data of members or former members, provided:
- Processing relates to legitimate activities
- Appropriate safeguards are in place
- Data is not disclosed outside the organization without consent
Documenting Legal Basis
Section titled “Documenting Legal Basis”Records of Processing Activities (Article 30)
Section titled “Records of Processing Activities (Article 30)”For each processing activity, document:
- Purpose of processing
- Legal basis relied upon
- Categories of data subjects
- Categories of personal data
- Recipients of data
- Retention periods
- Security measures
Legitimate Interest Assessment (LIA)
Section titled “Legitimate Interest Assessment (LIA)”When relying on legitimate interests:
- Purpose Test: Identify the legitimate interest
- Necessity Test: Show processing is necessary
- Balancing Test: Balance against individual’s interests and rights
- Safeguards: Document measures to protect rights
- Decision: Document your conclusion
Emily Helps Tools
Section titled “Emily Helps Tools”- Processing activity register
- Legal basis selector
- LIA templates and wizard
- Consent management
- Documentation repository
Common Parish Scenarios
Section titled “Common Parish Scenarios”Sacramental Records
Section titled “Sacramental Records”Legal Basis:
- Public Task (canonical obligation to maintain registers)
- Legal Obligation (civil registration requirements where applicable)
Documentation: Canon law requirements, civil law obligations
Parish Newsletter
Section titled “Parish Newsletter”Legal Basis:
- Consent (for general parishioners)
- Legitimate Interests (for registered members with right to object)
Documentation: Consent records or LIA, subscription management
Safeguarding
Section titled “Safeguarding”Legal Basis:
- Legal Obligation (safeguarding law)
- Vital Interests (in emergencies)
- Public Task (child protection duties)
Documentation: Safeguarding policies, legal requirements
Financial Records
Section titled “Financial Records”Legal Basis:
- Legal Obligation (tax and accounting law)
- Contract (for donors with gift aid agreements)
Documentation: Tax law requirements, contract terms
Staff and Volunteer Management
Section titled “Staff and Volunteer Management”Legal Basis:
- Contract (employment/volunteer agreements)
- Legal Obligation (employment law)
- Consent (for optional benefits)
Documentation: Employment contracts, legal obligations, consent forms
Best Practices
Section titled “Best Practices”- Be Specific: Identify the exact legal basis for each purpose
- Document Everything: Keep detailed records of your legal basis decisions
- Review Regularly: Check that your legal bases remain appropriate
- Update Privacy Notices: Ensure privacy information reflects your legal bases
- Train Staff: Ensure all staff understand legal basis requirements
- Don’t Default to Consent: Use the most appropriate basis for each purpose
- Consider Alternatives: If one basis doesn’t work, consider others
- Seek Advice: Consult legal counsel for complex situations
Related Documentation
Section titled “Related Documentation”Last updated: October 2025