Lawful Basis
The Lawfulness principle – Legal bases for processing personal data
The GDPR requires that your data processing must be lawful. In practice, this means that you must decide which one of the codified ‘lawful basis’ (also known as legal bases) listed below apply to your process, which depends on the nature of the process itself.
If you need to process personal data in order to provide a service (for example, you will likely need contact information to register participants attending a congress), your legal basis should be contract (Article 6.1b). The processing must be objectively necessary for the performance of the contract in the sense that there must be no realistic, less intrusive alternatives, taking into account the reasonable expectations of the data subject. This lawful basis is not commonly used in scientific research.
This is the appropriate legal basis for certain types of processing that you may be obligated by law to conduct, like the obligation of the UU to share employee salary information with the Tax office (Article 6.1c). This lawful basis is not commonly used in scientific research.
Processing personal data to protect the vital interests of an individual is not often used but is nevertheless important in case the processing is needed to protect someone’s life, or mitigate against a serious threat to a person, in particular a child or a missing person (Article 6.1d). This lawful basis is not commonly used in scientific research.
This is the lawful basis most often used for research projects, where individuals can be directly asked for their consent – as long as they are presented with a real choice, are not compelled to give consent and will not endure any negative consequences if they do not give (or withdraw) their consent (Article 6.1a). We have explained in more detail how to assess if consent is legitimate in Step 7 of the privacy scan, and in this guidance.
Sometimes it is impossible or impractical to individually ask participants for their consent (for example, while conducting observations in a population). Or perhaps the circumstances of the research project means that participants do not have a truly free choice (for example, if refusing to participate would entail significant disadvantages, as can happen with clinical trials). As the university interest in conducting research has been officially recognized through the Higher Education and Scientific Research Act (Wet op het hoger onderwijs en wetenschappelijk onderzoek), it may be possible to rely on Public Task (Article 6.1e) for those cases. We discuss how to apply this legal basis in more detail in step 7 of the privacy scan.
This is the legal basis for the processing of personal data that may apply in circumstances where processing operations do not fit neatly into any of the other legal bases, like fraud prevention or direct marketing. However, it also carries heightened obligations to balance the legitimate interests you are seeking to pursue with the rights and interests of the data subject (Article 6.1f). We discuss how to apply this legal basis in more detail in step 7 of the privacy scan.
This is not strictly speaking a legal basis as listed in Art 6. But it works in practice as a legal reason why some personal data that was previously collected for other purposes can be (re)used for scientific research purposes. Art 5 (1)(b) states that further processing for scientific research purposes is compatible with original purposes, but only if such processing involves appropriate safeguards (Art 89(1)).
The GDPR sates that the process of special categories of personal data is in principle prohibited, unless one or more of the exceptions listed in Art 9(2) applies. These data include genetic, biometric and health data, as well as personal data revealing racial and ethnic origin, political opinions, religious or ideological convictions or trade union membership. You should consult the faculty privacy officer for advice if your project is planning on processing these special categories of personal data.