GDPR Legal Basis
A core GDPR requirement is that any processing of personal data must have a valid business purpose AND one of the six lawful / legal basis that GDPR allows.
It is possible that you need to process the same set of personal data for a number of different purposes. Each of those purposes needs to have a valid legal basis (not necessarily the same one).
- Performance of a Contract (including taking steps to enter into a contract)
- Legal obligation
- Vital interest of the data subject or another individual
- Task of public interest
- Legitimate interest of the data controller
Which one that is the most appropriate depends on the context of your processing.
Five of the six legal basis are fairly self-explanatory. When you want to refer to the legitimate interest of the data controller, you will need to reflect and apply a test to determine whether this legal basis is appropriate. Please read up on this in our knowledge base item about legitimate interest.