Protecting vital interest

Here we explain the meaning of protecting vital interests as a legal basis under the GDPR.

Explained – what does the ‘vital interests’ legal basis mean?

Protecting vital interests is a legal basis under Article 6(1)(d) of the GDPR. It permits the processing of personal data where this is necessary to protect the vital or fundamental interests of the data subject or another natural person. It is intended for urgent situations where a person’s life, health or safety is at risk and the processing is necessary to address those risks.

This basis is used very restrictively and primarily where no other legal basis applies, in particular not consent, because the circumstances often make it impossible to obtain consent in a meaningful way.

When does the question of vital interests arise under the GDPR?

The question arises in emergencies and other critical contexts where immediate processing of personal data is required to avoid serious harm. This may concern the data subject or other individuals.

Examples include the processing of medical data in an acute illness or accident, or the processing of contact details to warn people rapidly of an imminent security threat.

Illustration of protecting vital interests under GDPR, showing a connected data network with a highlighted risk point and legal data protection safeguards.

Practical points when relying on vital interests (and not Legitimate Interest)

When relying on this legal basis, an organisation should ensure the following:

  • That the situation is urgent and requires immediate action.
  • That the processing is directly linked to protecting a vital interest, such as life or physical safety.
  • That no other legal basis is appropriate or available in the situation.
  • That the processing is proportionate and limited to what is necessary.
  • That the situation and the justification for using the basis are documented.

This legal basis should be used only in genuine emergencies and not as a default solution. If the processing can be supported by another legal basis under the GDPR, that basis should be preferred.

Protecting vital interest

Why is the ‘vital interests’ legal basis important?

This legal basis is important because it enables life-saving measures and critical protection of people in emergencies. Without it, necessary processing could be blocked by administrative requirements, which could expose individuals to unnecessary risks.

At the same time, using the basis entails a responsibility to ensure it is applied only where genuinely necessary and that the data subject’s privacy is safeguarded even under pressure.

From a trust perspective, it is crucial that organisations act swiftly in emergencies while also demonstrating transparency and accountability in how they handle personal data in these contexts.

Frequently asked questions on vital interests and Legitimate Interest

It means personal data may be processed where necessary to protect a person’s vital or fundamental interests.

When the situation is urgent and no other legal basis applies, for example where consent cannot be obtained.

  • Processing medical data in connection with an accident.
  • Processing data to warn people about a natural disaster.
  • Contact tracing during serious disease outbreaks.

No. Consent is not required because the situation often makes it impossible to obtain it meaningfully.

Once the urgent need ends, the processing must cease or continue only on another legal basis if it is to be maintained.

An organisation should:

  • Describe the emergency and its risks.
  • Explain why no other legal basis was applicable.
  • Record which data were processed and for what purpose.

Read more about our services

GDPR Lawyer

Engage Morling Consulting’s privacy counsel when personal data issues need to be addressed in a business-focused manner with clear control of risk. We provide support with governance, contracts, transparency and processor arrangements, ensuring the organisation remains consistent towards data subjects and the Data Protection Authority (IMY).

DPIA

We prepare Data Protection Impact Assessments (DPIAs) for processing activities that may pose a high risk and require a documented basis for decision-making. We carry out the assessment, identify risks, and put in place mitigations and documentation so the DPIA is auditable, traceable, and ready for review.

Breach management

Morling Consulting supports incident management when a personal data breach must be handled swiftly and correctly. We lead the assessment, remediation plan and documentation, including materials for notification and communications, so the organisation acts in a coordinated way and reduces consequential harm.

Contact

Felix Morling

Contact us

If you prefer phone, please feel free to contact Felix Morling at +46 70 444 42 85

"*" indicates required fields