Legal Basis
https://publicschema.org/vocab/legal-basis
The lawful ground under which a controller processes personal data, corresponding to the six bases enumerated in GDPR Article 6(1) and mirrored in most national data protection laws. Choosing the correct basis is a policy decision, not a technical one. Programs that claim consent when beneficiaries cannot realistically refuse without losing service should use legal-obligation or public-interest instead.
Aligned standards
| Standard | Equivalent | Match |
|---|---|---|
| DPV GDPR extension v2 | GDPR Article 6 - Lawfulness of processing | exact |
| The six values of this vocabulary map one-to-one to GDPR Article 6(1)(a) through Article 6(1)(f). See individual value notes for per-value URIs. | ||
Values
| Code | Label | Standard code | Definition |
|---|---|---|---|
consent | Consent | The data subject has freely given, specific, informed, and unambiguous consent to the processing for one or more defined purposes. Requires genuine choice. If the program is effectively unconditional (the beneficiary cannot refuse without losing service), consent is not the honest basis. Use legal-obligation or public-interest instead. DPV GDPR mapping, GDPR Article 6(1)(a), dpv-gdpr:A6-1-a. | |
contract | Contract | Processing is necessary for the performance of a contract to which the data subject is party, or to take steps at the data subject's request before entering into a contract. Common in employment, housing, or financial service programs where a formal agreement exists between the program and the beneficiary. DPV GDPR mapping, GDPR Article 6(1)(b), dpv-gdpr:A6-1-b. | |
legal_obligation | Legal obligation | Processing is necessary to comply with a legal obligation to which the controller is subject, such as a national law requiring registration of beneficiaries or mandatory reporting to a supervisory authority. Often the honest basis when program participation is mandatory. DPV GDPR mapping, GDPR Article 6(1)(c), dpv-gdpr:A6-1-c. | |
vital_interest | Vital interest | Processing is necessary to protect the vital interests of the data subject or another natural person, typically in emergency or life-threatening situations such as disaster response where obtaining consent is not feasible. The scope is narrow; it does not cover routine program delivery. DPV GDPR mapping, GDPR Article 6(1)(d), dpv-gdpr:A6-1-d. | |
public_interest | Public interest | Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The most common honest basis for government social protection programs, where delivery of the program itself is the public-interest task. The applicable national law should be cited in legal_basis_reference. DPV GDPR mapping, GDPR Article 6(1)(e), dpv-gdpr:A6-1-e. | |
legitimate_interest | Legitimate interest | Processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where those interests are overridden by the interests or fundamental rights of the data subject. Requires a balancing test. Least commonly applicable in public-authority programs, which typically have a more specific basis available. DPV GDPR mapping, GDPR Article 6(1)(f), dpv-gdpr:A6-1-f. |
Referenced by this vocabulary
- W3C DPV v2 W3C Data Privacy Vocabularies and Controls Community Group (DPVCG), 2024
Other references
- GDPR Article 6 - Lawfulness of processing superset Article 6(1)(a) through (f) define the six lawful bases.