Contract, Legal Obligation, and Vital Interests as Legal Bases Under European Data Protection Law
Introduction
Under the General Data Protection Regulation (GDPR), any processing of personal data must be grounded in one of six legal bases set out in Article 6(1). Among these, contract (Article 6(1)(b)), legal obligation (Article 6(1)(c)), and vital interests (Article 6(1)(d)) represent three critical foundations that data controllers rely upon to lawfully process personal data. For anyone preparing for the CIPP/E certification exam, a thorough understanding of these legal bases—their scope, limitations, and practical application—is essential.
Why Are These Legal Bases Important?
These three legal bases are important because they define the boundaries within which organisations can process personal data without relying on consent, legitimate interests, or public interest justifications. Understanding them is critical for several reasons:
• Practical prevalence: Organisations process enormous volumes of personal data on the basis of contractual necessity (e.g., employment contracts, service agreements) and legal obligations (e.g., tax reporting, anti-money laundering) every day.
• Compliance obligations: Misidentifying the legal basis can lead to regulatory enforcement, fines, and reputational damage. Controllers must be able to correctly identify and document the appropriate legal basis before processing begins.
• Data subject rights implications: The legal basis chosen directly affects which rights are available to data subjects. For example, the right to data portability applies specifically when processing is based on consent or contract, while the right to erasure may be limited when processing is required by a legal obligation.
• Accountability and transparency: Under Articles 13 and 14 of the GDPR, controllers must inform data subjects of the legal basis relied upon, making correct identification a transparency requirement.
What Is Each Legal Basis?
1. Contract – Article 6(1)(b)
This legal basis permits the processing of personal data where it is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract.
Key elements:
• The data subject must be a party to the contract. Processing data about third parties cannot be justified under this basis.
• The processing must be genuinely necessary for the performance of the contract—not merely useful or convenient. The European Data Protection Board (EDPB) has emphasised a strict interpretation of necessity.
• Pre-contractual steps must be taken at the request of the data subject, not unilaterally by the controller.
• This basis covers activities such as delivering goods ordered online, processing payroll for employees under an employment contract, or verifying identity to open a bank account.
Important distinction: Just because data processing occurs in the context of a contract does not automatically mean Article 6(1)(b) applies. For example, profiling users for targeted advertising purposes is generally not considered necessary for the performance of a contract for an online service, even if the terms of service mention it. The EDPB has been clear that bundling unrelated processing into a contract does not make it "necessary" for contractual performance.
2. Legal Obligation – Article 6(1)(c)
This legal basis applies where processing is necessary for compliance with a legal obligation to which the controller is subject.
Key elements:
• The obligation must be imposed by EU law or Member State law (Recital 45). It cannot be based on a contractual obligation or a voluntary commitment.
• The legal obligation must be sufficiently clear and precise. It does not need to be an explicit statutory provision in every case, but it must have a basis in law.
• The controller does not have a choice—if the law requires the processing, the controller must process the data. This distinguishes it from other legal bases where there is more discretion.
• Common examples include: tax reporting obligations, employment law requirements (e.g., reporting workplace injuries), anti-money laundering checks, financial reporting under securities law, and data retention requirements imposed by telecommunications regulations.
Important distinction: A legal obligation under one Member State's law may not exist under another's. This is why the GDPR allows Member States to maintain or introduce more specific provisions under Article 6(2) and (3). Exam candidates should understand that this legal basis is inherently tied to the specific jurisdiction's legal framework.
3. Vital Interests – Article 6(1)(d)
This legal basis allows processing where it is necessary to protect the vital interests of the data subject or of another natural person.
Key elements:
• Vital interests are interpreted narrowly and generally relate to matters of life and death or serious threats to health. Recital 46 explicitly mentions situations such as monitoring epidemics and humanitarian emergencies.
• This basis can be used to protect the vital interests of another natural person, not just the data subject. For example, processing data to locate a missing person or to respond to a natural disaster.
• It serves as a legal basis of last resort—it should only be relied upon when no other legal basis is available. Recital 46 states that processing based on vital interests should "in principle take place only where the processing cannot be manifestly based on another legal basis."
• For special categories of data (Article 9(2)(c)), vital interests can be relied upon only where the data subject is physically or legally incapable of giving consent.
Important distinction: Vital interests is not a general "emergency" basis. It cannot be used simply because a situation is urgent or commercially important. The threshold is genuinely about threats to life or physical integrity.
How Do These Legal Bases Work in Practice?
Choosing the Right Legal Basis
Controllers must identify the appropriate legal basis before processing begins. The choice must be documented as part of the controller's accountability obligations under Article 5(2) and is typically recorded in the Record of Processing Activities (ROPA) under Article 30.
The legal basis cannot be changed retrospectively. If a controller initially relies on consent but consent is withdrawn, the controller cannot simply switch to contract or legitimate interests to continue the same processing. This principle was reinforced by EDPB guidance.
Interaction with Data Subject Rights
The legal basis chosen has direct implications for data subject rights:
• Contract (Article 6(1)(b)): Triggers the right to data portability (Article 20). The right to object (Article 21) does not apply. The right to erasure may apply unless continued processing is necessary for contractual performance.
• Legal obligation (Article 6(1)(c)): The right to erasure is restricted—a controller cannot delete data if it is required by law to retain it (Article 17(3)(b)). The right to object does not apply. The right to data portability does not apply.
• Vital interests (Article 6(1)(d)): The right to object does not apply under this basis (Article 21 only applies to processing based on public interest or legitimate interests). The right to erasure may apply once the vital interest situation has resolved.
Special Categories of Data (Article 9)
For processing special category data (health data, biometric data, etc.):
• Contract alone is not listed as an exception under Article 9(2), so processing special categories solely on the basis of contractual necessity requires an additional Article 9 exception (e.g., employment law obligations under Article 9(2)(b)).
• Legal obligation may correspond to Article 9(2)(b) (employment and social security law) or other specific exceptions.
• Vital interests is explicitly addressed under Article 9(2)(c), but only where the data subject is physically or legally incapable of giving consent.
Key Differences at a Glance
• Contract: Data subject must be a party; processing must be necessary for performance or pre-contractual steps at the data subject's request; strict necessity test applies.
• Legal obligation: Must be grounded in EU or Member State law; controller has no discretion—it must process; cannot be based on contractual or self-imposed obligations.
• Vital interests: Life-or-death or serious health situations; basis of last resort; can protect third parties' vital interests; narrow interpretation required.
Exam Tips: Answering Questions on Contract, Legal Obligation, and Vital Interests
Tip 1: Focus on the Necessity Test
All three legal bases include the word "necessary." In exam scenarios, always ask: Is the processing genuinely necessary for the stated purpose, or is it merely useful or desirable? The GDPR applies a strict necessity standard—processing that goes beyond what is needed to fulfil the contract, comply with the law, or protect vital interests will not be covered by these bases.
Tip 2: Identify the Correct Legal Basis for the Scenario
Exam questions often present a factual scenario and ask you to identify the most appropriate legal basis. Look for clues:
• If the scenario involves a direct contractual relationship between the organisation and the individual (e.g., delivering a product, providing a service), consider Article 6(1)(b).
• If the scenario mentions a statutory requirement, regulation, or law that compels the processing (e.g., tax law, AML regulations), consider Article 6(1)(c).
• If the scenario involves a life-threatening emergency and no other legal basis is feasible, consider Article 6(1)(d).
Tip 3: Remember That Vital Interests Is a Last Resort
If an exam question involves a medical emergency but the data subject has already provided consent or the processing could be based on another legal basis, vital interests is not the correct answer. Always check whether another basis could apply first.
Tip 4: Understand the Data Subject Rights Implications
A common exam question type asks which data subject rights apply or do not apply depending on the legal basis. Remember:
• Data portability = consent or contract only
• Right to object = legitimate interests or public interest only
• Right to erasure can be limited by legal obligations
Tip 5: Watch for Trick Scenarios Involving Contract
Be cautious of scenarios where an organisation claims contractual necessity for processing that is not genuinely necessary for the contract (e.g., behavioural advertising bundled into terms of service). The EDPB has made clear that Article 6(1)(b) cannot be stretched to cover processing that is merely referenced in a contract but is not objectively necessary for its performance.
Tip 6: Distinguish Legal Obligations from Voluntary Commitments
If a scenario describes an industry code of conduct, a company policy, or a contractual promise (rather than a statutory requirement), this does not qualify as a legal obligation under Article 6(1)(c). The obligation must have its basis in law.
Tip 7: Consider Special Category Data Separately
If the scenario involves health data or other special category data, remember that you need both an Article 6 legal basis and an Article 9 exception. Contract alone is not an Article 9(2) exception. Vital interests under Article 9(2)(c) requires the data subject to be incapable of giving consent.
Tip 8: Pay Attention to Jurisdictional Nuances
Legal obligation is jurisdiction-specific. If a question asks about a legal obligation, consider whether the obligation exists under EU law or the relevant Member State's law. An obligation under a non-EU country's law would not qualify.
Tip 9: Use the Process of Elimination
When facing multiple-choice questions, systematically eliminate options. If the scenario does not involve a contract, eliminate Article 6(1)(b). If there is no statutory requirement, eliminate Article 6(1)(c). If there is no life-threatening situation, eliminate Article 6(1)(d). This approach helps you narrow down to the correct answer efficiently.
Tip 10: Remember the Accountability Principle
Controllers must document their choice of legal basis. If an exam question asks about compliance steps, documenting the legal basis in the ROPA and in privacy notices (Articles 13/14) is a key element of the correct answer.
Summary
Contract, legal obligation, and vital interests are three foundational legal bases under GDPR Article 6(1). Each has distinct requirements, limitations, and implications for data subject rights. For the CIPP/E exam, success depends on understanding the strict necessity test that applies to all three, knowing when each basis is appropriate, recognising the interplay with special category data rules, and being able to apply these principles accurately to real-world scenarios. Always read exam questions carefully for factual clues that point to the correct legal basis, and remember the key distinctions: contract requires a direct contractual relationship, legal obligation requires a statutory basis in law, and vital interests is reserved for genuine threats to life and is a basis of last resort.
