The six lawful bases for processing personal data
The six lawful bases for processing personal data are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:
- Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
- Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
- Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
- Vital interests: the processing is necessary to protect someone’s life.
- Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
- Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
You need to remember that:
- No single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on your purpose and relationship with the individual.
- Most lawful bases require that processing is ‘necessary’. If you can reasonably achieve the same purpose without the processing, you won’t have a lawful basis.
- You must determine your lawful basis before you begin processing personal data, and you should document it.
- You need to take care to get it right first time – you should not swap to a different lawful basis at a later date without good reason.
- Your privacy notice should include your lawful basis for processing as well as the purposes of the processing. (see our section on privacy notices)
- If your purposes change, you may be able to continue processing under the original lawful basis if your new purpose is compatible with your initial purpose – unless your original lawful basis was consent (see our section on obtaining consent).
- If you are processing special category data you need to identify both a lawful basis for general processing and an additional condition for processing this type of data.