Introduction
This checklist provides guidance to in-house counsel and private practitioners about the lawful bases upon which personal data can be processed, in accordance with article 6 of Regulation (EU) 2016/679 – General Data Protection Regulation 2016/679 (EU GDPR), in order to assist them when advising internal or external clients on these issues.
The checklist is EU-focused and covers:
- the general requirements under the EU GDPR; and
- the European Data Protection Board (EDPB) and, where relevant, EU member states’ supervisory authorities’ interpretation of such EU GDPR requirements.
This checklist does not address UK-specific data protection law requirements. However, it should be noted that the UK retained the EU GDPR in domestic law following Brexit (commonly referred to as the ‘UK GDPR’), with necessary changes to accommodate domestic areas of UK law. Therefore, insofar as the supervisory authority of the UK (the Information Commissioner’s Office (ICO)) has published guidelines specific to the EU GDPR (prior to Brexit) and the UK GDPR (after Brexit), such guidelines can assist when providing a helpful overview of the subject matter in this guide.
The EU GDPR requires that an organisation’s processing of personal data comes within one of six bases (or reasons) in order for that processing to be lawful.
Documenting your organisation’s decisions on which of the lawful bases applies to your data processing will also help with demonstrating compliance with this aspect of the EU GDPR.
The checklist addresses the six key lawful bases of data processing:
- Consent of the data subject
- Performance of contract
- Performance of a legal obligation
- Protection of vital interests
- Performance of a task in the public interest
- Legitimate interests
The checklist is presented as a list of questions/decision tree to help you decide which of the six bases is the most appropriate lawful one to rely on for your relevant processing situation and, accordingly, if personal data is being processed lawfully. Make sure that you answer the questions under each basis in order.
At the end of the document, there are explanatory notes corresponding to each requirement in the checklist.
Key definitions, such as ‘controller’, ‘processor’, ‘data subject’, ‘personal data’ and ‘processing’, are further explained in How-to guide: Understanding key data protection definitions.
This checklist can be used in conjunction with How-to guide: How to ensure compliance with the GDPR and Checklist: GDPR compliance self-assessment audit.
Step 1 – Consent of the data subject
| No. | Criteria | Criteria met? | Result |
| 1.1 | Can you offer the individual a genuine choice regarding the processing of their personal data? | Yes/No | Yes, go to step 1.2. No, try an alternative lawful basis. |
| 1.2 | Are you looking to make consent a precondition of a service? | Yes/No | No, go to step 1.3. Yes, try an alternative lawful basis. |
| 1.3 | Can the individual refuse consent without detriment? | Yes/No | Yes, go to step 1.4. No, try an alternative lawful basis. |
| 1.4 | Can you deal with requests to withdraw consent? | Yes/No | Yes, go to step 1.5. No, try an alternative lawful basis. |
| 1.5 | Is your organisation a public authority, employer or in a position of power over individuals? | Yes/No | Yes, go to step 1.6 (but see explanatory note 1.5 as this may affect your ability to rely on consent). No, try an alternative lawful basis. |
| 1.6 | Is consent recorded? | Yes/No | Yes, go to step 1.7. No, try an alternative lawful basis. |
| 1.7 | Is a more appropriate lawful basis available? | Yes/No | Yes, this may affect your ability to rely on consent (see explanatory note 1.7) No, go to 1.8. |
| 1.8 | Is the form of consent itself valid? | Yes/No | Yes, consent is appropriate. No, consent will be invalid – see explanatory note 1.8. |
Step 2 – Performance of contract
| No. | Criteria | Criteria met? | Result |
| 2.1 | Are you processing the personal data to perform a contract with the individual? | Yes/No | Yes, go to step 2.3. No, go to step 2.2. |
| 2.2 | Are you processing the personal data to take steps that the individual has asked you to take, prior to entering into a contract with them? | Yes/No | Yes, go to step 2.3. No, try an alternative lawful basis. |
| 2.3 | Is the processing necessary for this purpose? | Yes/No | Yes, go to step 2.4. No, try an alternative lawful basis. |
| 2.4 | Do any other lawful bases need to be considered (see step 1 above and steps 3 to 6 below)? | Yes/No | No, this lawful basis is appropriate. Yes, try an alternative or additional lawful basis. |
Step 3 – Performance of a legal obligation
| No. | Criteria | Criteria met? | Result |
| 3.1 | Are you processing the personal data to comply with your legal obligations? | Yes/No | Yes, go to step 3.2. No, try an alternative lawful basis. |
| 3.2 | Is the processing necessary for this purpose? | Yes/No | Yes, go to step 3.3. No, try an alternative lawful basis. |
| 3.3 | Do any other lawful bases need to be considered (see steps 1 and 2 above and steps 4 to 6 below)? | Yes/No | No, this lawful basis is appropriate. Yes, try an alternative or additional lawful basis. |
Step 4 – Protection of vital interests
| No. | Criteria | Criteria met? | Result |
| 4.1 | Are you processing the personal data to protect the individual’s vital interests? | Yes/No | Yes, go to step 4.3. No, go to step 4.2. |
| 4.2 | Are you processing the personal data to protect another person’s vital interests? | Yes/No | Yes, go to step 4.3. No, try an alternative lawful basis. |
| 4.3 | Is the processing necessary for this purpose? | Yes/No | Yes, go to step 4.4. No, try an alternative lawful basis. |
| 4.4 | Do any other lawful bases need to be considered (see steps 1 to 3 above and steps 5 and 6 below)? | Yes/No | No, this lawful basis is appropriate. Yes, try an alternative or additional lawful basis. |
Step 5 – Performance of a task in the public interest
| No. | Criteria | Criteria met? | Result |
| 5.1 | Are you processing the personal data to fulfil tasks that are in the ‘public interest’? | Yes/No | Yes, go to step 5.2. No, try an alternative lawful basis. |
| 5.2 | Is the processing necessary for this purpose? | Yes/No | Yes, go to step 5.3. No, try an alternative lawful basis. |
| 5.3 | Do any other lawful bases need to be considered (see steps 1 to 4 above and step 6 below)? | Yes/No | No, this lawful basis is appropriate. Yes, try an alternative or additional lawful basis. |
Step 6 – Legitimate interests
| No. | Criteria | Criteria met? | Result |
| 6.1 | Are you processing the personal data to further your own legitimate interests? | Yes/No | Yes, go to step 6.3. No, go to step 6.2. |
| 6.2 | Are you processing the personal data to further the legitimate interests of a third party? | Yes/No | Yes, go to step 6.3. No, try an alternative lawful basis. |
| 6.3 | Is the processing necessary for this purpose? | Yes/No | Yes, go to step 6.4. No, try an alternative lawful basis. |
| 6.4 | Have you satisfied the ‘balancing test’ and satisfied any other applicable requirements, for example, have you done a legitimate interests assessment (LIA), provided an opt out or implemented other additional safeguards? | Yes/No | Yes, go to step 6.5. No, try an alternative lawful basis. |
| 6.5 | Do any other lawful bases need to be considered (see steps 1 to 5 above)? | Yes/No | No, this lawful basis is appropriate. Yes, try an alternative or additional lawful basis. |
Explanatory notes
Legal framework
The checklist covers the requirements under:
- the EU GDPR;
- EDPB Guidelines 05/2020 on consent under Regulation 2016/679 (EDPB consent guidelines);
- EDPB Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects (EDPB online services guidelines), which focus on the performance of contract lawful basis; and
- EDPB Guidelines 08/2020 on the targeting of social media users (EDPB social media guidelines), which focus on the consent and legitimate interests lawful bases.
Article 6, EU GDPR requires that an organisation’s processing of personal data comes within one of six bases (or reasons) in order for that processing to be lawful, as listed in the introduction and corresponding with each of the steps outlined in the tables above. This requirement only applies to controllers.
Multiple lawful bases may apply to the same data if you are processing this for different reasons. For example, if the individual has a free choice over some elements of the processing, consent will be the appropriate basis for those but you would need a separate lawful basis for the other elements. The EDPB has clarified in its own guidelines that the application of the one of the six bases must be established prior to the processing activity and in relation to a specific purpose. According to the legal bases for processing personal data guidance note published by Ireland’s Data Protection Commission (DPC), ‘there is no hierarchy or preferred option within this list [of lawful bases], instead each instance of processing should be based on the legal basis which is most appropriate in the specific circumstances’.
Each lawful basis (aside from consent) includes a requirement that the processing must be ‘necessary’ for a specific purpose. According to the UK’s supervisory authority (the ICO) lawful basis guidance, ‘The question is whether the processing is objectively necessary for the stated purpose, not whether it is a necessary part of your chosen methods’.
If your purposes change over time or you have a new purpose which you did not originally anticipate, you need to comply with the purpose limitation principle. You can only go ahead if: (1) the new purpose is compatible with the original purpose; (2) you get the individual’s specific consent for the new purpose; or (3) you can point to a clear legal provision requiring or allowing the new processing in the public interest. All processing must also be lawful, so you do need a lawful basis. The original basis you used to collect the data may not always be appropriate for your new use of that data.
This checklist focuses only on processing personal data that is not ‘special category personal data’ or ‘criminal data’. Additional requirements apply to these types of more sensitive information, which are explained only briefly below.
Specific requirements applicable to children’s consent are not covered in this checklist. See the guidance on children and the GDPR published by Ireland’s DPC.
Special category data
Article 9, EU GDPR designates special categories of personal data as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Additional requirements must be met in order to make processing of such data lawful. In fact, processing of these more sensitive categories of data will not be lawful unless it satisfies both:
- a lawful basis under article 6, EU GDPR; and
- an exemption or condition under article 9, EU GDPR.
See the section on special category data in How-to guide: How to ensure compliance with the GDPR.
Criminal data
Additional requirements apply in order to make processing of certain types of criminal data lawful. Criminal data means ‘criminal convictions and offences or related security measures based on article 6(1)’ (article 10, EU GDPR).
Processing of these more sensitive categories of data will not be lawful unless it satisfies both:
- a lawful basis under article 6, EU GDPR; and
- an exemption or condition under article 10, EU GDPR.
See the section on criminal data in How-to guide: How to ensure compliance with the GDPR.
What else do organisations have to do to ensure that personal data is processed lawfully?
The requirements listed in the steps outlined in the tables above are not the only obligations that an organisation needs to meet to ensure that personal data processing is lawful. The various other provisions of the GDPR (such as the data protection principles in article 5, EU GDPR) must be complied with, as well as any other applicable laws and industry-specific rules.
Notes on specific requirements
Step 1 – Consent of the data subject
Consent is not always required, but the data subject’s consent can be relied on to lawfully process personal data. Processing relying on consent must be for one or more specific purposes (article 6(1)(a), EU GDPR).
1.1 Can you offer the individual a genuine choice regarding the processing of their personal data?
If, in practice, you would go ahead and process personal data anyway (even if an individual changed their mind later on), consent will not be the correct lawful basis to use.
1.2 Are you looking to make consent a precondition of a service?
You should avoid making consent a precondition of providing a service. This is because if you do condition a service on consent, you cannot offer individuals a real choice over how you use their data.
1.3 Can the individual refuse consent without detriment?
Individuals should be able to refuse consent without detriment – this is part of the requirement that consent must be freely given. See step 1.8 below.
1.4 Can you deal with requests to withdraw consent?
A defining feature of consent is that it can be withdrawn at any time. Processing systems must be set up to deal with this. If, in practice, you would continue to process the data, consent is not the appropriate lawful basis to use.
1.5 Is your organisation a public authority, employer or in a position of power over individuals?
Organisations that are in a position of power will need to be careful when relying on consent as they will need to be able to demonstrate that the consent is ‘freely given’. For example, public authorities and employers will need to take extra precautions to position any consent requests as voluntary and to not be seen as putting pressure on individuals to consent for fear of adverse consequences as regards their ability to access vital public services or concerning their employment, for instance.
1.6 Is consent recorded?
Processing systems must be set up to record details of the consent that was given (ie, when consent was given and what the individual consented to). If this cannot be accommodated, it will be difficult to rely on consent.
1.7 Is a more appropriate lawful basis available?
You may decide to rely on consent where you want to make certain processing voluntary (eg, carrying out a survey) in circumstances where an alternative lawful basis (ie, legitimate interests) could technically have been relied on instead. However, be aware that once you have decided to rely on consent to process personal data, you cannot later decide to switch to a different lawful basis (eg, if consent is withdrawn).
1.8 Is the form of consent itself valid?
For the consent to be valid, it must meet the requirements under recitals 32 and 43 and articles 4(11) and 7 of the EU GDPR, including that:
- the consent request must be prominent and separate from other terms and conditions;
- the consent must be:
- active (ie, a positive opt-in);
- fully informed;
- freely given;
- unambiguous;
- specific or granular;
- recorded;
- as easy to withdraw as it is to give, and the individual must be informed of their rights to withdraw consent upfront; and
- the consent must not use pre-ticked boxes or any other method of default consent.
Consents must be kept under review and refreshed at appropriate intervals.
Step 2 – Performance of contract
2.1 Are you processing the personal data to perform a contract with the individual?
The first part of this lawful basis is relevant if you have a contract with the individual and you need to process their personal data:
- to comply with your obligations under the contract; or
- so that they can comply with specific counter-obligations under the contract (eg, processing their payment details).
It does not apply to:
- processing of personal data of anyone other than the contract holder; or
- collection and reuse of customer data for your own business purposes, even if your standard contractual terms or commercial model provide for this.
2.2 Are you processing the personal data to take steps that the individual has asked you to take, prior to entering into a contract with them?
The second part of this lawful basis is relevant if you have not yet got a contract with the individual, but they have asked you to do something as a precursor to the contract with them (eg, provide a quote) and you need to process their personal data to fulfil their request.
It does not apply to:
- pre-contractual steps that you take on your own initiative (eg, credit checks – see ‘legitimate interests’);
- processing done to meet other obligations; or
- processing done at the request of a third party.
It does not matter that the person does not ultimately enter into a contract; the key issue is that the processing was in the context of a potential contract with that individual.
2.3 Is the processing necessary for this purpose?
The processing needs to be necessary to perform the contract with the individual or to take the pre-contract steps that they ask you to take. See general notes above.
2.4 Do any other lawful bases need to be considered?
If you satisfy this lawful basis, it is not necessary to obtain consent as well. However, if a specific lawful basis does not cover all your reasons for processing the personal data in the relevant context, you must look to satisfy an additional lawful basis or bases for the remainder of the processing. See step 1 above and steps 3 to 6 below.
Step 3 – Performance of a legal obligation
3.1 Are you processing the personal data to comply with your legal obligations?
This lawful basis is relevant if you have to process individuals’ personal data to comply with a legal obligation that applies to your organisation.
It applies to EU:
- common law obligations;
- statutory obligations;
- regulatory requirements that have a statutory basis and require regulated organisations to comply; and
- court orders.
It does not apply to contractual obligations – this typically comes within ‘performance of contract’ (see above) or ‘legitimate interests’ (for third party obligations, see step 6.2 below).
3.2 Is the processing necessary for this purpose?
The processing needs to be necessary to perform the legal obligation as a reasonable and proportionate way of complying. This basis will not be available if you can exercise discretion over whether or not to process the personal data or if compliance could be achieved by other reasonable means. See general notes above.
3.3 Do any other lawful bases need to be considered?
See steps 1 and 2 above and steps 4 to 6 below.
Step 4 – Protection of vital interests
4.1 Are you processing the personal data to protect the individual’s vital interests?
This lawful basis is relevant if you have to process personal data to protect someone’s life. It is a narrow lawful basis of last resort that applies to ‘life and death’ situations (eg, emergency medical care when a person is incapable of giving consent).
If health data is being processed, you will also need to satisfy an exemption or condition for processing special category data (see article 9, EU GDPR).
4.2 Are you processing the personal data to protect another person’s vital interests?
Processing of one individual’s personal data to protect the vital interests of another may be relevant, for instance, where you need to process a parent’s personal data to protect a child’s vital interests. The same considerations as outlined in step 4.1 above apply here as well.
4.3 Is the processing necessary for this purpose?
The processing needs to be necessary to protect the vital interests of the individual or third party. If you can reasonably protect the person’s vital interests in another less intrusive way, this basis will not be appropriate. See general notes above.
4.4 Do any other lawful bases need to be considered?
See steps 1 to 3 above and steps 5 and 6 below.
Step 5 – Performance of a task in the public interest
5.1 Are you processing the personal data to fulfil tasks that are in the ‘public interest’?
The first part of this lawful basis is relevant if you have to process individuals’ personal data to perform a task in the public interest that is set out in EU or member state law. This includes clear common law tasks, functions or powers, plus those set out in statute or in statutory guidance.
For example, article 43 of Directive (EU) 2015/849 – The Fourth Anti-Money Laundering Directive provides that ‘the processing of personal data on the basis of this Directive for the purposes of the prevention of money laundering and terrorist financing … shall be considered to be a matter of public interest under Regulation (EU) 2016/679 of the European Parliament and of the Council’.
If you are processing special category data, you also need to satisfy an exemption for processing this type of data (see article 9, EU GDPR).
5.2 Is the processing necessary for this purpose?
The processing needs to be necessary to perform the task in the public interest. This basis will not be available if you could reasonably perform your tasks or exercise your authority in a less intrusive way or without processing personal data. See general notes above.
5.3 Do any other lawful bases need to be considered?
See steps 1 to 4 above and step 6 below.
Step 6 – Legitimate interests
6.1 Are you processing the personal data to further your own legitimate interests?
The EDPB has published Guidelines on the processing of personal data based on Article 6(1)(f) GDPR. The guidelines provide a helpful guide on when legitimate interests can and cannot be used. The guidelines set out three cumulative conditions to be fulfilled in order for legitimate interests to be used as a lawful basis:
First, the pursuit of a legitimate interest by the controller or by a third party;
Second, the need to process personal data for the purposes of the legitimate interest(s) pursued; and
Third, the interests or fundamental freedoms and rights of the concerned data subjects do not take precedence over the legitimate interest(s) of the controller or of a third party.
According to the supervisory authority of the UK (the ICO) in its legitimate interests guidance, this basis ‘is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.’
Public authorities can rely on legitimate interests only to the extent that they are processing personal data for a legitimate reason outside their tasks as a public authority.
Legitimate interests can include business interests, individual interests or broader societal benefits. The EU GDPR lists, non-exhaustively, certain processing activities and purposes that will be ‘legitimate interests’, such as fraud prevention and network and information security, and indicating possible criminal acts or threats to public security. In addition, the EU GDPR (at recital 47) indicates that legitimate interests may (but will not always) apply to processing employee or client data, direct marketing or intra-group administrative transfers.
Not all interests of the controller or a third party may be deemed legitimate. Interests should be lawful, clearly articulated and current as at the time the processing commences. It is the responsibility of the controller to inform the data subject of the legitimate interests pursued when relying on this basis for processing.
6.2 Are you processing the personal data to further the legitimate interests of a third party?
Similar considerations apply to processing that is in the legitimate interests of a third party – see step 6.1 above.
6.3 Is the processing necessary for this purpose?
The processing needs to be strictly necessary for the purposes of your or the third party’s legitimate interests. When carrying out an assessment on the use of legitimate interest as a lawful basis, take care to ensure that the data processed is relevant for the purposes pursued and limited to what is necessary to achieve the purpose and taking into account Principle 5 GDPR – data minimisation principle. This basis will not be available if you could reasonably fulfil these purposes in a less intrusive way or without processing personal data. See general notes above.
6.4 Have you satisfied the ‘balancing test’ and any other applicable requirements?
It is not enough to simply have a legitimate interest, the legitimate interest must not be overridden by the interests or fundamental rights and freedoms of individuals (such as, financial, social or personal interests). Take into account the reasonable expectations of those individuals, based on the relationship between the organisation and such individuals and implement mitigating measures that limit the impact of the processing.
Fundamental rights and freedoms of individuals include the right to data protection and privacy, but also other rights eg, right to liberty and security, freedom of expression and information, freedom of thought, conscience and religion, freedom of assembly and association, prohibition of discrimination, the right of property, or the right to physical and mental integrity.
Condition 32 of the guidelines sets out what the controller must be able to identify and describe, these are as follows:
The data subjects’ interests, fundamental rights and freedoms;
The impact of the processing on data subjects, including:
The nature of the data to be processed;
The context of the processing; and
Any further consequences of the processing;
The reasonable expectations of the data subject; and
The final balancing of opposing rights and interests, including the possibility of further mitigating measures.
The practice of legitimate interests assessments (LIAs) to support an organisation’s reliance on legitimate interest as a lawful ground is finding favour and can be found in recent EU supervisory authority investigations and enforcement actions.
The UK’s ICO also recommends doing a LIA and provides a useful tool to assist organisations.
It may also be necessary to provide an opt out and give effect to individuals’ right to object to processing on the basis of legitimate interests, and to implement additional safeguards to protect people’s rights.
For further information on legitimate interests, see the EDPB social media guidelines, the ICO’s guidance on legitimate interests and the legitimate interests section of Ireland’s DPC guidance on the legal bases for processing personal data.
6.5 Do any other lawful bases need to be considered?
See Steps 1 to 5 above. If you need consent under other legislation (eg, the electronic marketing rules under Directive (EU) 2002/58 – ePrivacy Directive (as implemented in the applicable member state)), the general position is that you should be relying on consent under the EU GDPR.
Additional resources
EDPB guidelines on processing personal data based on Article 6(1)(f)
EDPB social media guidelines
EDPB consent guidelines
EDPB social media guidelines
EDPB online services guidelines
Related Lexology Pro content
How-to guides:
Understanding key data protection definitions
How to comply with data processing principles under the GDPR
How to ensure compliance with the GDPR
How to establish a valid lawful basis for processing personal data under the GDPR
How to transfer personal data lawfully outside the European Economic Area
How to reduce the risk of a GDPR data breach
How to deal with a GDPR data breach
How to deal with a supervisory authority dawn raid
Checklists:
GDPR compliance self-assessment audit
Assessing whether an organisation is a controller or processor under the GDPR
Obtaining and managing consent under the GDPR
Processor due diligence (data protection and cybersecurity)
Making an international transfer of personal data under the GDPR
Data subject access rights under the GDPR
What to include in your organisation’s privacy notice
When and how to appoint a data protection officer
Complying with cookie requirements under the ePrivacy Directive and the GDPR
Reliance on information posted:
While we use reasonable endeavours to provide up to date and relevant materials, the materials posted on our site are not intended to amount to advice on which reliance should be placed. They may not reflect recent changes in the law and are not intended to constitute a definitive or complete statement of the law. You may use them to stay up to date with legal developments but you should not use them for transactions or legal advice and you should carry out your own research. We therefore disclaim all liability and responsibility arising from any reliance placed on such materials by any visitor to our site, or by anyone who may be informed of any of its contents.