Legal obligation

Here we explain what the legal obligation as a lawful basis entails and when it can be used.

Explained – what is legal obligation GDPR?

Legal obligation is a lawful basis under Article 6(1)(c) of the GDPR. It permits the processing of personal data where necessary to comply with an obligation arising under law or another binding legal rule in EU or national legislation. This also applies where the obligation follows from sector-specific legislation, such as the Book-keeping Act or the Anti-Money Laundering Act.

This basis is often used where an organisation must handle personal data in order to meet legal requirements, regardless of whether the data subject consents.

When does legal obligation GDPR apply?

The question arises where an organisation must process personal data to comply with a specific legal requirement. This is common in finance, employment law, tax law and regulatory compliance in regulated industries, including legal obligation in accounting where retention duties are prescribed.

Examples include retaining accounting records under the Book-keeping Act, reporting suspicious transactions under the Anti-Money Laundering Act, or providing information to the Swedish Tax Agency (Skatteverket) under the Tax Procedure Act. These scenarios often reflect a legal obligation in accounting and adjacent compliance domains.

Illustration of a legal obligation: document with a checkmark and section symbol, representing statutory compliance requirements, legal basis and regulatory duties.

Key considerations for using the legal obligation basis

To rely on legal obligation as a lawful basis, an organisation should consider the following:

  • Identify the specific legal requirement that mandates the processing.
  • Process only the personal data necessary to meet that requirement.
  • Inform the data subject of the lawful basis and the applicable legal obligation.
  • Maintain records demonstrating that the processing is grounded in a legal obligation.
  • Cease the processing when the legal obligation no longer applies.
  • Align the processing with other legal requirements, for example the GDPR’s storage limitation principle and the purpose limitation principle.

By working in a structured manner, an organisation reduces the risk of both GDPR infringements and breaches of the relevant sectoral legislation.

Legal obligation

Why is legal obligation GDPR important?

Legal obligation is important because it ensures organisations can meet their duties under law without risking a breach of the GDPR. It provides clear and predictable support for the processing of personal data where this is required for regulatory compliance.

At the same time, it is vital not to use legal obligation as a blanket justification for all processing. Its use must always be tied to a clear and documented legal requirement.

From a business and trust perspective, correct handling of legal obligations demonstrates that the organisation takes both its legal duties and the protection of individuals’ privacy seriously across Europe.

Frequently asked questions on legal obligation

The lawful basis “legal obligation” permits processing of personal data where it is necessary to comply with a duty set out in law or another binding legal rule.

When the processing is directly mandated by a specific legal rule and is necessary to fulfil that obligation.

Common examples include:

  • Retention of accounting records under the Book-keeping Act (a legal obligation in accounting).
  • Reporting of suspicious transactions under the Anti-Money Laundering Act.
  • The duty to provide information to the Swedish Tax Agency (Skatteverket) under the Tax Procedure Act.

No, consent is not required where processing is necessary to comply with a legal obligation. Consent is unsuitable in such cases because the data subject has no genuine choice as to whether the processing occurs.

When the legal obligation no longer applies, the processing must stop unless another lawful basis exists.

The organisation should:

  • Identify the specific statute or regulation, including the relevant provision, that mandates the processing.
  • Limit collection to what is necessary.
  • Retain documentation evidencing that the processing complies with the requirement.

Read more about our services

GDPR Lawyer

Engage Morling Consulting’s privacy counsel when personal data issues need to be addressed in a business-focused manner with clear control of risk. We provide support with governance, contracts, transparency and processor arrangements, ensuring the organisation remains consistent towards data subjects and the Data Protection Authority (IMY).

DPIA

We prepare Data Protection Impact Assessments (DPIAs) for processing activities that may pose a high risk and require a documented basis for decision-making. We carry out the assessment, identify risks, and put in place mitigations and documentation so the DPIA is auditable, traceable, and ready for review.

Breach management

Morling Consulting supports incident management when a personal data breach must be handled swiftly and correctly. We lead the assessment, remediation plan and documentation, including materials for notification and communications, so the organisation acts in a coordinated way and reduces consequential harm.

Contact

Felix Morling

Contact us

If you prefer phone, please feel free to contact Felix Morling at +46 70 444 42 85

"*" indicates required fields