GDPR Legal Basis

A core GDPR requirement is that any processing of personal data must have a valid business purpose AND one of the six lawful / legal basis that GDPR allows.

You must determine your business purpose and legal basis before you begin any processing and you should document it in your GDPR register and privacy policy. Your choice of legal basis depends on the purpose of the data processing.

It is possible that you need to process the same set of personal data for a number of different purposes. Each of those purposes needs to have a valid legal basis (not necessarily the same one).

You must be able to explain your legal basis for processing personal data in your privacy policy and when you answer a data access request. There are six available legal basis to motivate a processing of data stated in article 6 GDPR :

  1. Consent
  2. Performance of a Contract (including taking steps to enter into a contract)
  3. Legal obligation
  4. Vital interest of the data subject or another individual
  5. Task of public interest
  6. Legitimate interest of the data controller

Which one that is the most appropriate depends on the context of your processing.

Five of the six legal basis are fairly self-explanatory. When you want to refer to the legitimate interest of the data controller, you will need to reflect and apply a test to determine whether this legal basis is appropriate. Please read up on this in our knowledge base item about legitimate interest.