GDPR Brief: “at least one” legal basis for processing under the GDPR — clarifying Article 6(1)

6 Jan 2020

Article 6(1) of the GDPR states that: “Processing shall be lawful only if and to the extent that at least one of the following applies: […]”; 6(1)(a)–(f) present the different bases. Does “at least one” legal basis suggest that a number of bases – could be used at the initial point of gathering personal data, thereby creating greater flexibility when considering the legal basis for further, secondary processing of those data?

Article 6(1) of the GDPR states that: “Processing shall be lawful only if and to the extent that at least one of the following applies: […]”; 6(1)(a)–(f) present the different bases. Does “at least one” legal basis suggest that a number of bases – for example, consent, the (qualified) interests of the data controller, the public interest – could be used at the initial point of gathering personal data, thereby creating greater flexibility when considering the legal basis for further, secondary processing of those data? Could the secondary processing (either in terms of direct inclusion in the stated primary purpose and basis for the processing, or through an argument of compatibility with that stated purpose) appeal to only one of the range of legal bases identified at the outset? Consensus when discussing the draft of this brief suggests that “at least one” does not give such flexibility, but reinforces a conclusion about the need for clarity.

Consistency of language

Article 6(1) is the only place where multiple legal bases is hinted as a possibility. The Recitals relating to legal basis do not address the “at least one” point. Recital 40 indicates that processing should be “on the basis of the consent […] or some other legitimate basis”. Article 13(1)(c) indicates that data subjects should be provided with information including “the purposes of the processing […] as well as the legal basis for the processing” (emphasis added). This would suggest that, whereas multiple legal bases are available, one must choose only one basis. This is reinforced in Recital 50, where the interpretation of further processing for compatible purposes is discussed in relation to the original legal basis.

Guidance

In its guidance on consent (WP259 rev.01), the Article 29 Working Party states: “The application of one of these six bases must be established prior to the processing activity and in relation to a specific purpose” (p. 23). The Article 29 Working Party Opinion 03/2013 on purpose limitation indicates a similar single legal basis when discussing how to ensure fairness in compatible processing. The recent “Report on Experience Gained in the Implementation of the GDPR” published by the Independent German Federal and State Data Protection Supervisory Authorities also discusses the legal basis in relation to compatible processing.

What can be drawn from this?

The better focus in reading Article 6(1) is “the extent that at least one of the following applies” (emphasis added). Different aspects of personal data processing within a project could each require a different legal basis for processing – some parts consent, other parts public interest – but “the extent that” each “applies”, requires consistency with each particular legal basis for primary processing in any further, compatible processing. Rather than giving greater flexibility for secondary processing of already gathered personal data, Article 6(1) requires that any legal basis selected for each part of the processing must be effectively communicated to the data subjects and the different legal requirements for each basis must be followed. 

NOTE: I am particularly grateful to those who gave comments on the draft of this GDPR Brief. Any errors are all mine.

Further Reading

• Article 29 Working Party, Guidelines on consent under Regulation 2016/679
• Article 29 Working Party, Opinion 03/2013 on purpose limitation (under the Directive)
• Independent German Federal and State Data Protection Supervisory Authorities, “Report on Experience Gained in the Implementation of the GDPR” (November 2019)

Relevant GDPR Provisions

• Recital 33 – Consent to Certain Areas of Scientific Research
• Recital 40 – Lawfulness of Data Processing
• Recital 50 – Further Processing of Personal Data
• Article 5(1)(a) – Principles Relating to Processing of Personal Data
• Article 6 – Lawfulness of Processing
• Article 13(1)(c) – Information to be Provided Where Personal Data are Collected from the Data Subject

David Townend is Professor of Law and Legal Philosophy in Health, Medicine and Life Sciences at Maastricht University.

See all previous briefs.

Please note that GDPR Briefs neither constitute nor should be relied upon as legal advice. Briefs represent a consensus position among Forum Members regarding the current understanding of the GDPR and its implications for genomic and health-related research. As such, they are no substitute for legal advice from a licensed practitioner in your jurisdiction.