The legal obligation is applicable as a lawful basis when it is necessary to process personal data to comply with a common law or a statutory obligation. In this case, there must be a specific legal provision or an appropriate source of advice or guidance that clearly sets out the obligation.
This does not apply to contractual obligations and it does not apply when it is reasonably possible to achieve the same goal without processing the personal data.
As always, the action should be documented for justification about the why and how the personal data was gathered and processed.
When is it Applied?
It is applied when an organization is obliged to process the personal data to comply with the law.
Be aware that Recital 41 confirms that this does not have to be an explicit statutory obligation, as long as the application of the law is foreseeable to those individuals subject to it. So it includes clear common law obligations.
In a simple and straightforward way, it is applied whenever a state member or EU law enforces it because the overall purpose is to comply with a legal obligation which has a sufficiently clear basis in either common law or statute.
Obviously, it requires the identification of the obligation in question, either by reference to the specific legal provision or else by pointing to an appropriate source of advice or guidance that sets it out clearly. For example, you can refer to a government website or to industry guidance that explains generally applicable legal obligations.