According to the GDPR, lawful processing requires a legal basis (see the “Lawfulness, fairness and transparency” subsection in the Main Principles section of the General Part of these Guidelines). If processing involves the type of activities that are included in the ePrivacy Regulation, the provisions made by this new tool will apply as soon as it is approved. At the present moment, Article 6 of the GDPR defines a total of six possible legal bases. In the case of processing data from social networks, it is essential to underline that ICT researchers or innovators must be aware that they will certainly need different legal bases for data processing at the moment of accessing the data and at the moment they perform their research or innovation based on those data. In the first case, what is needed is a legal basis to obtain the data from the social network. In the second case, it is a matter of finding a basis that allows the data, already legitimately acquired, to be used for research purposes. It is essential to note that the mere fact that the data subjects have published their data in online public spaces does not allow for their processing. These are still personal data, even if the data is publicly available. The publication might serve to avoid the ban included in Article 9.1 of the GDPR, if we are talking about data of special categories, but does not serve as a legal basis for processing. As such, companies may not freely re-use the data, and may not further process it without the individuals’ knowledge and without an adequate basis for lawful processing.