GDPR lawful basis for processing personal data
The General Data Protection Regulation (GDPR) is an EU law design to protect and enhance the data privacy of its residents. GDPR is applicable for all businesses and organizations, regardless of their location, who process personal data on EU residents. As legislation, GPDR identifies specific lawful basis under which processing of personal data can occur.
Read our introduction to GDPR to learn more about the regulation.
This article is part of our guidance to GDPR, which aims to help you understand the General Data Protection Regulations and your obligations under the law. However, while industry experts have put together our guide, it does not constitute legal advice. If you require definitive legal guidance, we suggest seeking professional legal advice or visiting the most appropriate Data Protection Authority (DPA).
On this page:
Lawful Basis for the Processing of Personal Data under GDPR
Article 6 of the GDPR sets out six lawful bases for the processing of personal data. No particular basis is’ better’ or more important than the others.
Organizations must select the most appropriate basis to use depending on the purpose of processing the information.
GDPR permits the lawful processing of personal data on at least one of the following basis:
The individual has provided you with clear permission for the processing of their personal data for a specific purpose
When the processing of personal information is necessary for a contract with an individual, or to undertake steps prior to entering into a contract (for example, when providing a quote)
3. Legal obligation
The processing of data is necessary to ensure compliance with the law, excluding contractual obligations
4. Vital interests
The processing of data is necessary to protect someone’s life
5. Public task
The processing of personal data is necessary for you to perform a task in the public interest, or for your official function, both of which have a clear basis in law
6. Legitimate interests
Processing is necessary to satisfy a legitimate interest, either your own or that of a third party. Under this basis, organizations must identify the interest, demonstrate that the processing is required to achieve it, and ensure it is balanced against the individual’s interests, rights and freedoms.
Note, this basis is not applicable to public authorities processing information to perform official tasks.
When is processing ‘necessary’?
While not essential, processing must be more than just standard practice. The processing of personal data cannot be defined as ‘necessary’ simply because it is part of your organization’s methods, or your business operates in a particular manner.
Instead, processing needs to be objectively ‘necessary’ and a targeted way of achieving a specific purpose. If your organization can achieve the purpose by processing less or no data, the lawful basis will not apply.
GDPR Lawful Basis: Understanding each of the bases
For the majority of the bases, the purposes for processing personal data must be “necessary” to be lawful. If the same purpose can be achieved without processing information, yet your organization continues to process data, you are likely to be in breach of the law.
Presented below are each of the GDPR lawful basis in more detail, providing additional context and examples.
In data protection law, consent is a core principle, and one of the GDPR’s six legal basis for the processing of personal data.
Conditions for consent
Under GDPR, consent is only valid, when:
- The consent is given freely
- It is obvious and requires a clear affirmative action to opt-in
- The consent request is specific and informed
- In case of explicit consent, it is expressly confirmed in words, rather than by any other affirmative action
You can read more regarding the validity of consent at the UK’s Data Protection Authority’s website.
When is consent required?
Consent may be needed in several circumstances, such as:
- If there is no other lawful basis applicable to data processing
- You want to share or use personal information in potentially intrusive ways or unexpectedly
- You are processing special category data (unless specific conditions apply, explicit consent may be needed to legitimize the processing)
- If your organization makes particular types of marketing calls and messages or uses website cookies and online tracking
How should organizations seek consent?
Under GDPR, consent validity has stringent conditions. Consequently, organizations cannot simply rely upon passive acceptance of consent, i.e. inactivity, silence, or pre-ticked boxes.
To seek consent, organizations have to:
- Obtain consent before processing begins, e.g. for websites, this is done typically through privacy notices
- Ensure requests for consent are simple to understand and clear
- Inform individuals clearly what they are consenting to, and any processing performed under a different lawful basis to that which is being consented to
- Be in a position to verify consent
- provide transparent and detailed opt-in mechanisms
- Document any records of consent
- Permit the withdrawal of consent at any time through simple methods
- Not make the provision of consent a condition of a contract
In the context of online services, if an organization is processing the data of children, they have to make sure the child’s age is verified, and consent provided by a legal guardian.
Consent for scientific research purposes is covered by specific provisions.
Requirement to prove consent
Under the GDPR organizations must provide evidence to demonstrate that consent has been lawfully obtained. If the only lawful basis for personal information processing is consent, organizations should consider:
- How consent is sought, obtained, and recorded
- Ensuring any consent provided is documented and meets GDPR conditions and standards
- Making sure the agreement with business partners and 3rd party provides meet GPDR compliance
- Reviewing their audit trail, particularly instances where the consent has been obtained your behalf by a third party
Consent and individual rights
If your organization depends on consent as the lawful basis for processing personal data, then individuals’ rights will be affected. Consenting individuals, as well as the right to be informed, will also have the:
- Right to erasure (often referred to as ‘the right to be forgotten’)
- Right to withdraw consent
- Right to data portability
If the only legal basis for processing is consent, individuals will not have the right to object. Read more on GDPR data subject rights.
Under GDPR, organizations can stipulate contractual obligations as the lawful basis for processing data, under the following circumstances:
- You need to process an individual’s personal data with whom you have a contract in place, and the processing of personal information will ensure you can fulfil your obligations as part of that contract
- A contract with an individual is yet to be made, however, they have requested an initial action, which will necessitate the processing of personal information, i.e. request for a quote
Any processing an organization conducts must be necessary for complying with your contractual obligations. If there are other ways to meet such commitments, this lawful basis will not apply.
3. Legal obligation
Organizations depending on legal obligations as the lawful basis for processing personal data can do so to ensure compliance with a common law or statutory obligation. This lawful basis is not applicable to contractual obligations. The common law with which the organization is wishing to comply with should be clear that processing is necessary for compliance.
Organizations have to be able to identify the specific legal provision they are complying with, or provided evidence or guidance which states their legal obligation.
4. Vital interests
This GDPR lawful basis is applicable where processing personal data is necessary to protect an individual’s life.
This lawful basis applies to any life and is, in most cases, applicable only in cases of emergency medical treatment.
5. Public task
Organizations processing personal data to exercise official authority or to perform a specific task, function or power, in the public interest (that is set out in law), can rely on this GDPR lawful basis.
While most relevant to public authorities, this GDPR lawful basis can apply to any organization which fulfils the criteria mentioned above.
Any processing must be necessary. If any tasks, exercise, or powers can be performed in a less intrusive way, then this lawful basis does not apply.
6. Legitimate interests
This lawful basis is often viewed as the most accommodating of GDPR’s six legal bases for processing personal information. Theoretically, legitimate interests could apply to any processing performed for any reasonable purpose.
While the definition provides room for interpretation, it is vague. As such, organizations need to determine and demonstrate that the personal information they are processing is being done so legitimately.
Legitimate interests could include your company’s interests, third party interests, and commercial interests. The GDPR highlights several potential legitimate interests, including processing client or employee information, marketing, fraud prevention, intra-group transfers or IT security. While these are not exhaustive, what is clear is that these interests must be weighed against the interests of the data subject(s).
Legitimate interests are likely to be appropriate when processing is performed in a manner that data subjects would deem reasonable, and where their privacy experiences minimal impact.
If an organization depends on legitimate interests, the right to data portability is not applicable.
Processing Personal Data: Determining the GDPR Lawful Basis
A GDPR data audit will provide businesses with insight into their processing activities and establish which GDPR lawful basis they are processing personal information.
An explanation for your legal basis needs to be provided when dealing with subject access requests and in your privacy notice. You will also need to demonstrate the applicability of a lawful to ensure compliance with the GDPR accountability principle.
Establishing GDPR lawful basis under which your organization processes personal data
The purpose of processing personal information will determine which legal basis will apply. Consequently, organizations must consider why they need to perform processing, and conclude which lawful basis best fits that context.
It may be that more than one basis applies, in which case organizations should identify and document all applicable legal bases from the outset. To satisfy any regulatory authority, organizations can carry out a full legitimate interests assessment (LIA).
No single basis is more important than the others, and organizations must refrain from taking a one-size-fits-all approach. In some cases, the legal basis may vary the rights available to the data subject(s). See data subject rights under the GDPR.
When determining the lawful basis, organizations should:
- Ensure that processing is necessary for the purpose
- Make certain that the purpose cannot be achieved without processing personal information
- Demonstrate compliance by documenting the choice of a particular lawful basis
- Detail the purpose and the lawful basis for processing in their privacy notice
- Recognize and document the legal basis for special category data or criminal offence data
The GDPR’s lawful basis covering legal obligation, contractual obligations, vital interests, and public tasks, relate to a specified purpose. The appropriate GDPR lawful basis will be evident if organizations are processing for one of these purposes. If none of these applies to your circumstances, then the choice will be between using legitimate interests or consent.
For most commercial businesses, consent, legal obligations or legitimate interests will be the lawful basis on which they process personal data.
What if a new purpose for processing personal information is identified?
Organizations may find that the purpose for processing personal data changes over time, or a new unanticipated purpose has been identified. In some cases, a new lawful basis may not be required, provided the new purpose and original purpose remain compatible.
To determine if the new purpose is compatible with the original purpose, organizations should consider:
- Any relationship between the two purposes
- The context in which the information was collected. Particular consideration should be given to the reasonable expectations of the individual whose data is being collected
- The type of personal data, i.e. whether it is criminal offence data or special category data
- Consequences for individuals of the new purpose and processing
- If any appropriate safeguards are in place, for example encryption or pseudonymisation
Since consent must always be specific and informed, the above is not applicable to lawful basis of consent. Process data under a new purpose would undermine the original consent.
In such circumstances, organizations will need to re-obtain consent to cover the new purpose. If organizations successfully obtain consent for a new purpose, they do not need to show it is compatible.