What is the lawful basis for processing?

When collecting data it is necessary to clearly understand and communicate the lawful reason for processing to the data subject.

Why is the lawful basis for processing important?

The first data protection principle requires that you process all personal data lawfully, fairly and in a transparent manner. Processing is only lawful if you have a lawful basis under Article 6. And to comply with the accountability principle in Article 5(2), you must be able to demonstrate that a lawful basis applies.

If no lawful basis applies to your processing, your processing will be unlawful and in breach of the first principle. Individuals also have the right to erase personal data which has been processed unlawfully.

The individual’s right to be informed under Article 13 and 14 requires you to provide people with information about your lawful basis for processing.  This means you need to include these details in your privacy notice.

The lawful basis for your processing can also affect which rights are available to individuals. For example:

Right to erasure Right to portability Right to object
Consent  √ ×
but right to
withdraw consent
Contract ×
Legal Obligation × × ×
Vital Interests × ×
Public Task × ×
Legitimate Interests ×

Definition

The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:

  1. (a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
  2. (b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
  3. (c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
  4. (d) Vital interests: the processing is necessary to protect someone’s life.
  5. (e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
  6. (f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

For more detail on each lawful basis, read the relevant page of this guide.