Legal Basis for Processing

A legal basis is the lawful ground your organisation must have in order to process personal data. Without a valid legal basis, the processing is unlawful — regardless of how good a reason you believe you have. GDPR Article 6 defines six possible grounds.

Back to Dictionary

What is a legal basis for processing?

Under the GDPR, every instance of personal data processing must be founded on a valid legal basis. This is one of the fundamental principles of data protection law and is set out in Article 6(1). The legal basis must be identified and documented before the processing begins — it cannot be determined retroactively.

The requirement applies to all forms of processing: collection, storage, use, sharing, and deletion. As a data controller, your organisation is responsible for demonstrating that a valid legal basis exists for each processing activity.

The six legal bases

GDPR Article 6(1) sets out six legal bases for processing personal data:

Consent (Art. 6(1)(a)): The data subject has given clear, informed and freely given consent to the processing for one or more specific purposes. Consent must be as easy to withdraw as it is to give.
Contract (Art. 6(1)(b)): Processing is necessary for the performance of a contract with the data subject, or to take steps at their request prior to entering into a contract.
Legal obligation (Art. 6(1)(c)): Processing is necessary for compliance with a legal obligation to which the controller is subject (e.g. tax legislation, employment law).
Vital interests (Art. 6(1)(d)): Processing is necessary to protect the vital interests of the data subject or another natural person. This basis is rarely applicable outside life-threatening situations.
Public interest (Art. 6(1)(e)): Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority. Primarily relevant to public bodies.
Legitimate interests (Art. 6(1)(f)): Processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights of the data subject. Requires a balancing test.

Special categories of personal data

For special categories of personal data (sensitive data such as health data, ethnic origin, political opinions, biometric data), Article 9 imposes additional requirements. Processing of sensitive data is prohibited unless one of the specific exemptions in Article 9(2) applies — for example, explicit consent or a substantial public interest.

Documentation in practice

Your organisation must document the legal basis for each processing activity. This is typically done in your record of processing activities (Article 30). For each activity, state which legal basis applies and explain why. If you rely on legitimate interests, you must also document the balancing test (Legitimate Interest Assessment).

Choose the right basis from the start: Switching legal basis after processing has begun is problematic and may render prior processing unlawful. Carefully assess and document the correct legal basis before you start processing personal data.

A thorough understanding of legal bases is essential for a successful data protection impact assessment and for demonstrating compliance with the accountability principle.

Frequently Asked Questions about Legal Basis for Processing

What is a legal basis for processing personal data?

A legal basis is the lawful ground that entitles an organisation to process personal data under GDPR Article 6. Without a valid legal basis, any processing of personal data is unlawful.

What are the six legal bases under GDPR?

The six legal bases are: (1) consent, (2) performance of a contract, (3) legal obligation, (4) vital interests, (5) public interest, and (6) legitimate interests. Each has specific conditions that must be met.

Can I change the legal basis after processing has started?

Changing the legal basis after processing has begun is problematic and generally discouraged. The legal basis should be identified and documented before processing starts. A change may render prior processing unlawful.

When should I use consent versus legitimate interests?

Use consent when you want to give the data subject genuine choice and control. Use legitimate interests when the processing is reasonably expected and has a minimal privacy impact, but always conduct and document a balancing test (Legitimate Interest Assessment).

Do I need a separate legal basis for sensitive personal data?

Yes. In addition to a legal basis under Article 6, processing of special categories of personal data (sensitive data) requires meeting one of the conditions in Article 9(2), such as explicit consent or a substantial public interest ground.