Exercise of public authority (GDPR)

Here we explain what the legal basis for the exercise of public agency/authority and tasks carried out in the public interest means, and when it can be used.

Explained – what do the exercise of public agency/authority and tasks carried out in the public interest mean?

The exercise of public agency/authority and tasks carried out in the public interest is a legal basis under Article 6(1)(e) of the GDPR. It permits the processing of personal data where this is necessary to perform a task carried out in the public interest or as part of the exercise of public agency/authority, and where the processing is supported by EU law or national law.

Examples of tasks in the public interest include the compilation of statistics, archiving activities, public health work and the prevention and detection of crime. The exercise of authority covers decisions and measures taken under public-law powers, such as the issuing of licences or permits, inspections or decisions on grants.

When is the exercise of public authority and tasks in the public interest engaged?

The question arises where a public authority or organisation performs tasks governed by law that matter to society at large. This covers both direct administrative decisions and activities intended to benefit the public without being the exercise of authority in a strict sense.

Examples include the Swedish Tax Agency (Skatteverket) handling tax returns, the Public Health Agency of Sweden (Folkhälsomyndigheten) conducting contact tracing, or a municipal archival authority preserving records. In such contexts, the exercise of public authority or a public interest task may provide the lawful basis for processing.

Illustration of the GDPR legal basis of exercise of public authority, showing public functions, data processing and regulated decision-making.

Key points when relying on the exercise of public authority and tasks in the public interest

When using this legal basis, ensure the following:

  • That the processing has clear support in statute or another legal rule.
  • That the task is genuinely in the public interest or constitutes the exercise of authority.
  • That only those personal data that are necessary are processed.
  • That the GDPR’s core principles of lawfulness, purpose limitation and data minimisation are observed.
  • That the processing is documented and can be justified in an audit or supervisory review.

This basis often applies to public authorities, but it can also extend to private entities that are mandated by law to carry out public interest tasks. In all cases, the exercise of authority must be proportionate to the stated purpose.

Exercise of public authority (GDPR)

Why are the exercise of public agency/authority and tasks in the public interest important?

This basis is important because it enables the processing of personal data necessary for society to function, without relying on consent or other legal bases. It ensures that essential public and socially beneficial tasks can be carried out lawfully.

At the same time, it entails responsibility not to use the ground as a blanket justification. Processing must always have a clear link to statutory duties and be proportionate to the aim. Proper application promotes legal certainty, transparency and public trust in both authorities and private actors operating under public mandates.

Frequently asked questions on the exercise of public authority and tasks in the public interest

They mean that personal data may be processed where it is necessary to perform a task in the public interest or the exercise of authority, and the processing is grounded in law.

  • Collection and analysis of statistics.
  • Public health work and contact tracing.
  • Archiving of records of historical value.

  • Issuing driving licences or passports.
  • Decisions on planning permission or environmental permits.
  • Inspections and supervisory decisions.

Yes, if they are mandated by law to perform public interest tasks or certain forms of the exercise of authority.

No. Consent is not required where processing is based on statutory public interest tasks or the exercise of authority.

An organisation should:

  • Identify the legal provision that enables the processing.
  • Describe the societal benefit of the task or its character as the exercise of authority.
  • Limit processing to the personal data that are necessary.
  • Retain documentation demonstrating compliance with legal requirements.

Read more about our services

GDPR Lawyer

Engage Morling Consulting’s privacy counsel when personal data issues need to be addressed in a business-focused manner with clear control of risk. We provide support with governance, contracts, transparency and processor arrangements, ensuring the organisation remains consistent towards data subjects and the Data Protection Authority (IMY).

DPIA

We prepare Data Protection Impact Assessments (DPIAs) for processing activities that may pose a high risk and require a documented basis for decision-making. We carry out the assessment, identify risks, and put in place mitigations and documentation so the DPIA is auditable, traceable, and ready for review.

Breach management

Morling Consulting supports incident management when a personal data breach must be handled swiftly and correctly. We lead the assessment, remediation plan and documentation, including materials for notification and communications, so the organisation acts in a coordinated way and reduces consequential harm.

Contact

Porträtt av Felix Morling, jurist och legal consultant, kontakta oss för rådgivning.
Felix Morling

Contact us

If you prefer phone, please feel free to contact Felix Morling at +46 70 444 42 85

"*" indicates required fields