The six GDPR lawful bases for processing
Under the EU/UK General Data Protection Regulation, you may not process personal data unless you have a valid lawful basis. Article 6(1) sets out exactly six, and you must identify the right one for each processing purpose before you begin. This reference lists all six with the condition that triggers them, a plain example, and a note on how the basis affects individuals’ rights.
The six bases at a glance
| Basis | Article 6(1) | When it applies | Key rights impact |
|---|---|---|---|
| Consent | (a) | Clear, freely given opt-in | Portable; easily withdrawn |
| Contract | (b) | Necessary to perform or prepare a contract | Portable |
| Legal obligation | (c) | Required by law or regulation | No right to erasure while obligation applies |
| Vital interests | (d) | Life-or-death situations | Narrow — only where consent impossible |
| Public task | (e) | Official public authority function | Right to object applies |
| Legitimate interests | (f) | Genuine interest not overridden by data subject rights | Right to object; needs balancing test |
Each basis in depth
Consent (6(1)(a)). Must be freely given, specific, informed, and unambiguous. Silence, pre-ticked boxes, and bundled consent are not valid. The data subject can withdraw consent at any time, and withdrawal must be as easy as giving it. Use consent where you process data beyond what the service strictly requires — for example, sending optional marketing emails.
Contract (6(1)(b)). Processing is necessary to perform a contract the data subject is party to, or to take pre-contractual steps at their request. A delivery address for an order, or credit checks before signing a lease, fall here. Processing for your convenience or to improve service quality is not “necessary” under contract.
Legal obligation (6(1)(c)). Processing is required to comply with a law or regulation. Payroll processing for HMRC, retaining VAT records for six years, or checking right-to-work documents. The obligation must stem from UK or EU law — your own contractual terms do not count.
Vital interests (6(1)(d)). Processing is necessary to protect someone’s life, typically in a medical emergency where the person cannot give consent. This is a narrow basis rarely used outside the health sector.
Public task (6(1)(e)). Processing is necessary for a task carried out in the public interest or in the exercise of official authority. Primarily for public bodies, regulators, and those processing under statutory powers. Private companies rarely rely on this basis.
Legitimate interests (6(1)(f)). Processing is necessary for a genuine interest of the controller or a third party, provided it is not overridden by the data subject’s rights. The most flexible basis, requiring a documented Legitimate Interests Assessment (LIA) covering three parts: (1) purpose — is the interest real and legitimate?; (2) necessity — is processing necessary or could a less intrusive approach work?; (3) balancing — do the individual’s interests or rights override the legitimate interest?
Which basis to choose in practice
- Marketing to existing customers: often legitimate interests (soft-opt-in), unless you need explicit consent (e.g., electronic marketing to individuals under PECR in the UK requires consent).
- Processing employee data: usually a mix of contract (for payroll), legal obligation (for tax), and sometimes legitimate interests (for access logging and security monitoring).
- Analytics on website visitors: typically requires consent via cookie banner, since this goes beyond what is necessary to deliver the service.
Rights that depend on the basis
- Right to data portability (Article 20): only applies to consent and contract.
- Right to erasure (Article 17): does not apply where legal obligation or vital interests are the basis and the processing is still required.
- Right to object (Article 21): applies to legitimate interests and public task. The controller must stop unless it can demonstrate compelling legitimate grounds that override the individual’s interests.
Key rule
Document one lawful basis per processing purpose before processing starts, not retrospectively. Switching bases later is difficult under GDPR and can be seen as unfair. Keep a Record of Processing Activities (ROPA) that maps each purpose to its basis and documents why that basis was chosen.