Lawful basis for processing personal data under EU GDPR
Every processing activity must have a documented lawful basis under Article 6 of EU GDPR before processing begins. The basis cannot be changed retrospectively, and different activities within the same organisation may require different bases. Identifying and documenting the correct basis is the foundation of a compliant programme.
The six lawful bases
Article 6(1) of EU GDPR provides six lawful bases for processing personal data. Every processing activity must be mapped to one before processing begins, and the mapping must be documented — ideally in the Article 30 Record of Processing Activities.
Consent — Article 6(1)(a)
Valid only where freely given, specific, informed, and unambiguous. Pre-ticked boxes and bundled consent are not valid. Consent as a condition of a contract or service is not freely given. Individuals must be able to withdraw consent as easily as they gave it. A record of when and what consent was given must be retained. The EDPB has published detailed guidance on consent that sets a high bar — the ICO position for UK GDPR is substantially the same.
Contract — Article 6(1)(b)
Processing is lawful where necessary for the performance of a contract with the data subject, or to take steps at their request before entering a contract. Necessary means genuinely required — marketing to customers is not necessary to perform a sales contract.
Legal obligation — Article 6(1)(c)
Processing required by EU or member state law. The specific legal obligation must be identified and documented. AML obligations under AMLD4/5, tax reporting requirements, employment law requirements — all provide this basis for the relevant processing.
Vital interests — Article 6(1)(d)
Processing necessary to protect the vital interests of the data subject or another person. Applies in life-or-death situations and is rarely relevant outside healthcare and emergency services.
Public task — Article 6(1)(e)
Processing necessary for tasks carried out in the public interest or in the exercise of official authority. Primarily for public authorities and bodies with statutory functions.
Legitimate interests — Article 6(1)(f)
The most flexible basis for private sector organisations. Processing is lawful where necessary for the legitimate interests of the controller or a third party, unless overridden by the data subject’s interests or fundamental rights. Reliance on this basis requires a three-part Legitimate Interests Assessment (LIA): establish the interest is genuine; establish the processing is necessary; balance the interest against the data subject’s rights. The LIA must be documented.
Special category data — Article 9
Processing special category data (health, racial or ethnic origin, political opinions, religious beliefs, trade union membership, biometric data, genetic data, sexual orientation, criminal convictions) requires both an Article 6 basis and a separate Article 9(2) condition. Both must be documented separately in the ROPA for each processing activity involving special category data.
Documenting your lawful basis
The lawful basis must be documented before processing begins and must be reflected in the privacy notice. The EDPB has been explicit that a controller cannot switch lawful basis retrospectively — if consent is withdrawn, the controller cannot then rely on legitimate interests to continue the same processing. The ROPA is the natural home for lawful basis documentation, with LIAs retained separately and cross-referenced.
Note: application of EU GDPR obligations may vary under member state law. Confirm with a practitioner familiar with the relevant jurisdiction.