🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays
Call us on +(33)4 28 70 91 81
Log in

GDPR and legal bases: Understand everything about the legal obligation

Home GDPR and legal bases: Understand everything about the legal obligation

In civil law, an obligation designates a legal relationship between several people who are required to do or not do something. A so-called legal obligation is set by law.  

In this article we explain to you under what conditions a legal obligation can be designated as the legal basis for processing.  

So relax, we'll explain everything to you in 5 minutes!?‍♂️

 The 6 legal bases provided for by the GDPR  

Compliance with a legal obligation is one of the 6 legal bases provided for by the GDPR?:  

  • Consent,  
  • The contract, last week's article,  
  • The legal obligation, this week's article,  
  • The public interest mission,  
  • Safeguarding vital interests,  
  • Legitimate interest.  


As a reminder, choosing your legal basis is mandatory for the processing to be lawful. This choice also determines the rights that the persons concerned will be able to avail themselves of for the processing in question. The rights that can be exercised will not be the same depending on the basis chosen.  

To learn more, check out our previous articles and follow us on LinkedIn to be notified as soon as our next articles are published!?‍?

The legal basis "legal obligation": what is it? ?

The data controller may choose this legal basis when the implementation of processing is required by applicable law. In other words, the data controller has no choice, he must necessarily carry out the processing to respect his obligation. It is the text which defines the purposes of the processing.    

For example, the Labor Code requires the employer to keep a single personnel register. It must include a lot of personal data (surname, first name, nationality, gender, job, qualification, etc.). The data controller must keep this register otherwise he fails to fulfill his legal obligation and is exposed to criminal sanction.  

 Under what conditions should this legal basis be chosen?  

The legal obligation must meet four characteristics to be legitimately chosen as the legal basis.
✅ She must be:  

  • Defined by European law or national law  

The obligation claimed by the data controller must be defined by national law or European Union law. The obligation may, for example, arise from a law, a decree, a European regulation, etc. The national law on which the obligation is based is the right to which the data controller is subject.    

Note that a contractual clause cannot be considered a legal obligation. In this case, the legal basis will have to be reviewed. The data controller will then choose the contract as the legal basis. Find our article on the subject by clicking here.  

  •  Imperative  

The data controller must be subject to this legal obligation. As explained earlier, he must have no choice but to submit to this obligation. Indeed, he must be forced to carry out the treatment to meet his obligation. The text identified as imposing the obligation must impose the processing on the data controller.  

Finally, the legal obligation must provide for the implementation of the processing. The text must not leave the data controller too wide a margin of appreciation. Concretely, the text must consider how the data controller must ensure the processing to meet its obligation.  

  • Clear and precise  

The legal obligation must at least specify the purpose of the processing. The treatment must meet an objective, not an accumulation of objectives. It is the principle of limitation of purposes which comes into play. To find out the specificities of this principle, find our article on the subject.    

  • Intended for the data controller, and not the data subjects  

The text on which the legal obligation is based must clearly indicate that the obligation concerns data controller. He must be the only one who must meet this obligation for the legal basis to be chosen. The processing cannot be based on a legal obligation which would be intended for the persons whose data is processed.    

For example, the tax administration which processes taxpayers' tax returns cannot base this processing on the basis of a legal obligation. The obligation to declare taxes is in fact aimed at the people, not the entity processing the declarations. This processing is rather based on the mission of public interest.  

If these conditions are not met, the processing of the data cannot be based on a legal obligation and the data controller must choose another legal basis.  

To illustrate, on June 16, 2020, the Data Protection Authority (APD, the Belgian supervisory authority) ruled on a complaint filed by parents against a school. To carry out a "well-being survey" among students, the establishment sends a questionnaire to the children. This document contains personal data of children and clearly allows them to be identified.  

The school bases this processing on a legal obligation arising from a Flemish decree "relating to the supervision of students in basic education, secondary education and in student supervision centers". Student supervision here includes:  

  • School career,    
  • Learning and study,    
  • Psychological and social functioning,  
  • Preventive health care.  

Parents of students file a complaint, they argue that their consent is required for the school to carry out this data processing. The APD judges that the legal obligation exists, but does not imply that students respond to a questionnaire allowing them to be identified. The decree sets out the purposes of the processing, but does not provide for the personal data of students (minors under 13 years of age) which must be processed.    

The Belgian supervisory authority concludes that the school acts beyond the means provided for by the text to meet the legal obligation to which it is subject. The legal obligation does not require the school to carry out a questionnaire among students. Therefore, the legal basis for the processing cannot be based on legal obligation. The legal basis for this processing is consent. This must be collected from the legal guardians of minor children.  

 To find out more, see the decision rendered: https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-31-2020.pdf  

 What consequences for personal rights? ?

Persons affected by processing based on a legal obligation will not be able to exercise their right of opposition, nor their right to portability of their data. Indeed, the legal obligation being imperative, the data controller cannot grant a person's request for opposition.    

To comply with your obligations, among the information that you must communicate to individuals (see articles 13 and 14 of the GDPR), warn individuals that they will not be able to exercise these rights in an internal and/or external confidentiality policy.  

 Data Comply One (formerly Mission RGPD) and the legal bases  

Is it difficult for you to know which legal basis to choose? You don't have the time you need to devote to managing your compliance? You are lost?  

✅ Data Comply One (formerly Mission RGPD) provides you with numerous document models useful for your compliance. Among these documents, find models of internal and external confidentiality policies. Download them and adapt them to your business.    

Save time with a pre-filled compliant document!  
Don't waste any more time, it's so simple!

Request a demo
Other articles
on the same subject