Most daily activities requires rather simple and foreseeable processing of personal data, and for many of those processing activities, contract (Article 6(1)(b) GDPR) would be the most appropriate legal basis.  

Keep in mind that contract is appropriate only when the processing activity is objectively and strictly necessary to provide a service, or for the performance of a contract. 

For example, when a person buys a product, or registers for a conference or workshop, the controller needs to process the individual’s payment information, which is transferred to financial institutions for payment purposes, and may also need their name and physical address, to be shared with the shipment service for delivery of training materials. 

Assessing what is objectively and strictly necessary involves an assessment of the processing “for the objective pursued and of whether it is less intrusive compared to other options for achieving the same goal”. In other words, the processing is not considered strictly necessary if there are realistic, less intrusive processing alternatives available to achieve the objective of the contract. Processing that is useful but not objectively necessary for performing the contract or service is not covered by this lawful basis – so, profiling a client’s tastes and choices based on purchased courses may be useful, but will not be considered as necessary in the example above – legitimate interest or consent may be suitable alternatives instead. 

In the context of the faculty, this legal basis is often applied by researchers in processing activities like (web) conferences, for providing services like access to facilities and even for mailing lists and newsletters, and for providing (research) services to other parties. 

In Step 7 of the Privacy Scan guidance, it is explained how to ensure this legal basis is properly applied in a processing activity.

Legal obligation (Article 6(1)(c) GDPR) is appropriate when the processing is strictly necessary “for compliance with a legal obligation to which the controller is subject“. This legal obligation must derive exclusively from an EU or Member State law. It cannot derive from a contractual arrangement, non-binding government requests or any form of “guidelines” or “best practice documents” that do not have the force of law. This only covers “obligations” under national law, meaning regulations that require a certain processing operation. It does not cover situations where the law permits certain conduct or processing operations. 

An employer processes personal data for social insurance purposes or under a duty to document compliance with workers’ rights. A bank keeps records and shares them with authorities under money laundering legislation. A company keeps all relevant financial information under a duty to keep documentation on paid taxes for a certain number of years. 

A controller gets a request from the police to disclose certain information. The police says it has a right to get that information. Once the controller takes a closer look, it turns out that under applicable national law, the police may ask the controller for such information and hope for their voluntary support, but the controller has no obligation to comply with this request. Therefore, the controller cannot share the information under Article 6(1)(c) GDPR, as there is no “legal obligation”. 

Vital interest (Article 6(1)(d) GDPR) is only appropriate if it is strictly necessary to protect the vital interests of the data subject or of another natural person. The underlying assumption here is that the right to life takes precedence over data protection and – in the case of the vital interests of the data subject – the data subject is assumed to consent to the processing.  

For example: The data subject is rushed to the hospital and the doctors check their medial data systems to ensure that they are fully aware of any potential complications from preexisting conditions or allergically reactions. 

There are many different activities and entities that can rely on public interest (Article 6(1)(e) GDPR), like certain tasks of notary publics and lawyers, private entities tasked with technical inspections on behalf of the government, health care providers or ambulance services, utility providers that are e.g. tasked with operating “smart meters”, etc. 

Our focus here is on Utrecht University’s public interest on tasks related to education and scientific research, as these tasks are recognized by the Dutch Higher Education and Scientific Research Act (Wet op het hoger onderwijs en wetenschappelijk onderzoek).  

Incidentally, the education Act does not contain specific provisions (as required by GDPR Art. 6(3)) to adapt the application of rules of the GDPR (it does not specify the general conditions of the processing; the types of data which are subject to the processing; the data subjects concerned; the purpose limitation; storage periods; etc.). Therefore, an assessment of necessity and proportionality is required in order to rely on this legal base. 

In practice, public interest can be an appropriate legal basis for scientific research processing activities where it is not practical or feasible to directly and individually collect consent from data subjects – for example, when performing observations. It is also appropriate for other activities like interviews and surveys, where a potential imbalance of power precludes the use of consent as a legal basis. 

In Step 7 of the Privacy Scan guidance, it is explained how to ensure this legal basis is properly applied in a processing activity. 

Legitimate Interest (Article 6(1)(f) GDPR) establishes a legal basis for the processing of personal data when the “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child”. 

While ‘consent’ deals with situations where data subjects waived their rights and ‘contract’, ‘legal obligation’ and ‘public task’ deal with common purposes where processing is allowed, ‘legitimate interest’ deals solely with situations where the controller (or a third party) has an interest that may conflict with the data subjects’ fundamental right to data protection. 

The concept of “interest” is closely related to, but distinct from, the concept of “purpose”. A “purpose” is the specific reason why the data are processed: the aim or intention of the data processing. An “interest”, on the other hand, is the broader stake or benefit that a controller or third party may have in engaging in a specific processing activity. While the public interest based on the Dutch Education Act is mostly limited to research and education, a wide range of interests is, in principle, capable of being regarded as legitimate – event promotion, security and fraud prevention, marketing, product improvement, among others.  

For example, a Dutch private company wants to share a dataset with university researchers. The private company (who is not governed by the Dutch Education Act, so can’t rely on Public Interest) can claim the scientific research of the researchers (who are a third party) as the identified legitimate interest. 

In Step 7 of the Privacy Scan guidance, it is explained how to ensure this legal basis is properly applied in a processing activity. In addition, an extended guidance on the application of legitimate interest has been recently published by the European Data Protection Board (EDPB). 

Consent (Article 6(1)(a) GDPR) is the legal basis that most people are familiar with, and is also the most used legal basis for scientific research. In short, this legal basis enables data subjects to give their consent – their permission – to the processing of their personal data for one or more specific purposes. 

As stated previously, the GDPR requires that the use of personal data must be necessary and proportional, and so the concept of necessity and proportionality is embedded on five of the six legal basis. The notable exception is consent, which is based on the right of data subjects to informational self-determination. The legal basis of consent implements the fact that data subjects have agency over their rights, which means they can give permission to others to process their data if they choose to do so, regardless of the necessity or proportionality of the processing. This is why the conditions for consent to be valid are quite distinct to the conditions for the other five legal basis – in particular, because data subjects are usually the weaker party in transaction, the GDPR foresees a number of conditions that controllers have to comply with to obtain valid consent – see our guidance on assessing consent for a detailed look on these conditions.  

In addition, the European Data Protection Board (EDPB) has published guidance in connection with consent: The Guidelines 5/2020 on consent under the GDPR, Guidelines 03/2022 on deceptive design patterns in social media platform interfaces and Opinion 08/2024 on Valid Consent in the Context of Consent or Pay Models Implemented by Large Online Platforms. 

In Step 7 of the Privacy Scan guidance, it is explained how to ensure this legal basis is properly applied in a processing activity. 

In general, personal data that was collected for one purpose cannot freely be used for another purpose – that is the principle of purpose limitation, which ensures that personal data may only be processed for (one or more) specified purposes. Nevertheless, there are a few exceptions to this principle that allows further processing:   

• For a compatible purpose (Article 6(4)): A doctor may use his patient’s records in a court procedure to prove that a patient has not paid medical bills, but may not use them for marketing purposes). 
• When it is based on the data subject’s consent (Article 6(1)(a)): A conference organizer may share registration data with their sponsors if participants have given their consent. 
• If it is allowed or required by Union or Member State law (Article 6(1)(c)): An event organizer can be asked to share registration data with law enforcement when a crime has taken place. 
• When it is for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes (Article 5(1)(b), 6(1)(e) and 89(1)): For example, personal data processed for the purpose of education (for example, materials like exam results and student reports) can in principle be further processed for the purpose of scientific research (for example, to research the performance of the class, and to publish the results of the study), where this purpose can rely on public interest as legal basis – where obtaining student’s consent would not be required.