Introduction
This checklist provides guidance to in-house counsel and private practitioners about the lawful bases upon which personal data can be processed in accordance with Article 6 of the GDPR, in order to assist them when advising internal/external clients on these issues.
The checklist is UK-focused but covers:
- general requirements under the EU GDPR, as these may still be relevant to some UK organisations to which the EU GDPR applies due to the application of the extra-territorial scope provisions in Article 3(2), EU GDPR; and
- the ICO’s interpretation of such EU GDPR requirements.
However, it does not cover any local EEA data protection law requirements or interpretation of the EU GDPR by EEA data protection regulators.
The GDPR requires that an organisation’s processing of personal data comes within one of six bases (or reasons) in order for that processing to be lawful.
Documenting your organisation’s decisions on which of the lawful bases applies to your data processing will also help with demonstrating compliance with this aspect of the GDPR.
The checklist addresses the six key lawful bases of data processing:
- Consent of the data subject
- Performance of contract
- Performance of a legal obligation
- Protection of vital interests
- Performance of a task in the public interest or exercising official authority, and
- Legitimate interests.
The checklist is presented as a list of questions/decision tree to help you decide which of the six bases is the most appropriate lawful one to rely on for your relevant processing situation and, accordingly, if personal data is being processed lawfully. Make sure that you answer the questions under each basis in order.
At the end of the document, there are explanatory notes corresponding to each requirement in the checklist.
Key definitions, such as ‘controller’, ‘processor’, ‘data subject’, ‘personal data’ and ‘processing’, are further explained in How to Guide: Understanding key data protection definitions.
This checklist can be used in conjunction with How-to guide: How to ensure compliance with the GDPR and Checklists: GDPR compliance self-assessment audit and Data subject access rights under the GDPR.
Step 1 – Consent of the data subject
| No. | Criteria | Criteria met? | Result |
| 1.1 | Can you offer the individual a genuine choice regarding the processing of their personal data? | Yes/No | Yes, go to 1.2. No, try an alternative lawful basis. |
| 1.2 | Are you looking to make consent a precondition of a service? | Yes/No | No, go to 1.3. Yes, try an alternative lawful basis. |
| 1.3 | Can the individual refuse consent without detriment? | Yes/No | Yes, go to 1.4. No, try an alternative lawful basis. |
| 1.4 | Can you deal with requests to withdraw consent? | Yes/No | Yes, go to 1.5. No, try an alternative lawful basis. |
| 1.5 | Is your organisation a public authority, employer or in a position of power over individuals? | Yes/No | Yes, go to 1.6 (but see explanatory note 1.5 as this may affect your ability to rely on consent). No, try an alternative lawful basis. |
| 1.6 | Is consent recorded? | Yes/No | Yes, go to 1.7. No, try an alternative lawful basis. |
| 1.7 | Is a more appropriate lawful basis available? | Yes/No | Yes, this may affect your ability to rely on consent (see explanatory note 1.7) No, go to 1.8. |
| 1.8 | Is the form of consent itself valid? | Yes/No | Yes, consent is appropriate. No, consent will be invalid – see explanatory note 1.8. |
Step 2 – Performance of contract
| No. | Criteria | Criteria met? | Result |
| 2.1 | Are you processing the personal data to perform a contract with the individual? | Yes/No | Yes, go to 2.3. No, go to 2.2. |
| 2.2 | Are you processing the personal data to take steps that the individual has asked you to take, prior to entering into a contract with them? | Yes/No | Yes, go to 2.3. No, try an alternative lawful basis. |
| 2.3 | Is the processing necessary for this purpose? | Yes/No | Yes, go to 2.4. No, try an alternative lawful basis. |
| 2.4 | Do any other lawful bases need to be considered (see tables above and below)? | Yes/No | No, this lawful basis is appropriate. Yes, try an alternative/additional lawful basis. |
Step 3 – Performance of a legal obligation
| No. | Criteria | Criteria met? | Result |
| 3.1 | Are you processing the personal data to comply with your legal obligations? | Yes/No | Yes, go to 3.2. No, try an alternative lawful basis. |
| 3.2 | Is the processing necessary for this purpose? | Yes/No | Yes, go to 3.3. No, try an alternative lawful basis. |
| 3.3 | Do any other lawful bases need to be considered (see tables above and below)? | Yes/No | No, this lawful basis is appropriate. Yes, try an alternative/additional lawful basis. |
Step 4 – Protection of vital interests
| No. | Criteria | Criteria met? | Result |
| 4.1 | Are you processing the personal data to protect the individual’s vital interests? | Yes/No | Yes, go to 4.3. No, go to 4.2. |
| 4.2 | Are you processing the personal data to protect another person’s vital interests? | Yes/No | Yes, go to 4.3. No, try an alternative lawful basis. |
| 4.3 | Is the processing necessary for this purpose? | Yes/No | Yes, go to 4.4. No, try an alternative lawful basis. |
| 4.4 | Do any other lawful bases need to be considered (see tables above and below)? | Yes/No | No, this lawful basis is appropriate. Yes, try an alternative / additional lawful basis. |
Step 5 – Performance of a task in the public interest or exercising official authority
| No. | Criteria | Criteria met? | Result |
| 5.1 | Are you processing the personal data to fulfil tasks that are in the ‘public interest’? | Yes/No | Yes, go to 5.3. No, go to 5.2. |
| 5.2 | Are you processing the personal data as part of your official powers? | Yes/No | Yes, go to 5.3. No, try an alternative lawful basis. |
| 5.3 | Is the processing necessary for this purpose? | Yes/No | Yes, go to 5.4. No, try an alternative lawful basis. |
| 5.4 | Do any other lawful bases need to be considered (see tables above and below)? | Yes/No | No, this lawful basis is appropriate. Yes, try an alternative/additional lawful basis. |
Step 6 – Legitimate interests
| No. | Criteria | Criteria met? | Result |
| 6.1 | Are you processing the personal data to further your own legitimate interests? | Yes/No | Yes, go to 6.3. No, go to 6.2. |
| 6.2 | Are you processing the personal data to further the legitimate interests of a third party? | Yes/No | Yes, go to 6.3. No, try an alternative lawful basis. |
| 6.3 | Is the processing necessary for this purpose? | Yes/No | Yes, go to 6.4. No, try an alternative lawful basis. |
| 6.4 | Have you satisfied the 'balancing test', and satisfied any other applicable requirements, eg, have you: done a legitimate interests assessment (LIA) provided an opt-out, or implemented other additional safeguards? | Yes/No | Yes, go to 6.5. No, try an alternative lawful basis. |
| 6.5 | Do any other lawful bases need to be considered (see tables above)? | Yes/No | No, this lawful basis is appropriate. Yes, try an alternative/additional lawful basis. |
Explanatory notes
Legal framework
The checklist covers the requirements under:
- Regulation 2016/679 – General Data Protection Regulation (EU GDPR);
- the EU GDPR as it forms part of the domestic law in the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018 (UK GDPR) and The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019;
- the Data Protection Act 2018 (UK DPA 2018);
- the UK Information Commissioner’s Office’s (ICO’s) guidance on lawful basis for processing (ICO lawful basis guidance);
- the ICO’s guidance on consent; (ICO consent guidance)
- European Data Protection Board (EDPB) Guidelines 05/2020 on consent under Regulation 2016/679 (EDPB consent guidelines);
- EDPB Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects (EDPB online services guidelines) (which focus on the performance of contract lawful basis); and
- EDPB Guidelines 08/2020 on the targeting of social media users (EDPB social media guidelines) (which focus on the consent and legitimate interests lawful bases).
References to the ‘GDPR’ mean either the EU GDPR or the UK GDPR, unless otherwise specified.
Article 6, GDPR requires that an organisation’s processing of personal data comes within one of six bases (or reasons) in order for that processing to be lawful, as listed in the introduction and corresponding with each of the tables above. This requirement only applies to controllers.
Multiple lawful bases may apply to the same data if you are processing this for different reasons. For example, if the individual has a free choice over some elements of the processing, consent will be the appropriate basis for those but you would need a separate lawful basis for the other elements.
Each lawful basis (aside from consent) includes a requirement that the processing must be ‘necessary’ for a specific purpose. According to the ICO’s lawful basis guidance, ‘The question is whether the processing is objectively necessary for the stated purpose, not whether it is a necessary part of your chosen methods.’
If your purposes change over time or you have a new purpose which you did not originally anticipate, you need to comply with the purpose limitation principle. You can only go ahead if a) the new purpose is compatible with the original purpose, b) you get the individual’s specific consent for the new purpose, or c) you can point to a clear legal provision requiring or allowing the new processing in the public interest. All processing must also be lawful, so you do need a lawful basis. The original basis you used to collect the data may not always be appropriate for your new use of that data. See the ICO’s guidance on i) lawful basis for processing and ii) purpose limitation (which also explains what a compatible purpose is).
The ICO also provides a lawful basis interactive guidance tool which is designed to assist organisations determine the most appropriate lawful basis for their processing activities.
This checklist focuses only on processing personal data that is not ‘special category personal data’ or ‘criminal data’. Additional requirements apply to these types of more sensitive information, which are explained only briefly below.
Specific requirements applicable to children’s consent are not covered in this checklist. See the ICO’s guidance on children and the UK GDPR. See also the ICO’s 10 Step Guide to Sharing Information to Sharing Information to Safeguard Children.
Special category data
Article 9, GDPR designates special categories of personal data as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Additional requirements must be met in order to make processing of such data lawful. In fact, processing of these more sensitive categories of data will not be lawful unless it satisfies both:
- a lawful basis under article 6, GDPR; and
- an exemption / condition under article 9, GDPR and Schedule 2, UK DPA 2018.
See the section on special category data in How to Guide: How to ensure compliance with the GDPR.
Criminal data
Additional requirements apply in order make processing of certain types of criminal data lawful. Criminal data means ‘criminal convictions and offences or related security measures based on article 6(1)’ (article 10, GDPR).
Processing of these more sensitive categories of data will not be lawful unless it satisfies both:
- a lawful basis under article 6, GDPR; and
- an exemption / condition under article 10, GDPR and Schedule 2, UKDPA 2018.
See the section on criminal data in How to Guide: How to ensure compliance with the GDPR.
What else do organisations have to do to ensure that personal data is processed lawfully?
The requirements listed in the tables above are not the only obligations that an organisation needs to meet to ensure that personal data processing is lawful. The various other provisions of the GDPR and UK DPA 2018 (such as the data protection principles in article 5, GDPR) must be complied with, as well as any other applicable laws and industry-specific rules.
Notes on specific requirements
Step 1 – Consent of the data subject
Consent is not always required, but the data subject’s consent can be relied on to lawfully process personal data. Processing relying on consent must be for one or more specific purposes (article 6(1)(a), GDPR).
1.1 Can you offer the individual a genuine choice regarding the processing of their personal data?
If, in practice, you would go ahead and process personal data anyway (even if an individual changed their mind later on), consent will not be the correct lawful basis to use.
1.2 Are you looking to make consent a precondition of a service?
You should avoid making consent a precondition of providing a service. This is because, if you do condition a service on consent, you cannot offer individuals a real choice over how you use their data.
1.3 Can the individual refuse consent without detriment?
Individuals should be able to refuse consent without detriment – this is part of the requirement that consent must be freely given. See 1.8 below.
1.4 Can you deal with requests to withdraw consent?
A defining feature of consent is that it can be withdrawn at any time. Processing systems must be set up to deal with this. If, in practice, you would continue to process the data, consent is not the appropriate lawful basis to use.
1.5 Is your organisation a public authority, employer or in a position of power over individuals?
Organisations that are in a position of power will need to be careful when relying on consent as they will need to be able to demonstrate that the consent is ‘freely given’. For example, public authorities and employers will need to take extra precautions to position any consent requests as voluntary and to not be seen as putting pressure on individuals to consent for fear of adverse consequences as regards their ability to access vital public services or concerning their employment, for instance.
1.6 Is consent recorded?
Processing systems must be set up to record details of the consent that was given (ie, when consent was given and what the individual consented to). If this cannot be accommodated, it will be difficult to rely on consent.
1.7 Is a more appropriate lawful basis available?
You may decide to rely on consent where you want to make certain processing voluntary (eg, carrying out a survey) in circumstances where an alternative lawful basis (ie, legitimate interests) could technically have been relied on instead. However, be aware that once you have decided to rely on consent to process personal data, you cannot later decide to switch to a different lawful basis (for example, if consent is withdrawn).
1.8 Is the form of consent itself valid?
For the consent to be valid, it must meet the requirements under Recitals 32 and 43 and articles 4(11) and 7 of the GDPR, including that:
- the consent request must be prominent and separate from other terms and conditions;
- the consent must be:
- active, ie, a positive opt-in
- fully informed
- freely given
- unambiguous
- specific/granular
- recorded, and
- as easy to withdraw as it is to give, and the individual must be informed of their rights to withdraw consent upfront; and
- the consent must not use pre-ticked boxes or any other method of default consent.
Consents must be kept under review and refreshed at appropriate intervals.
Step 2 – Performance of contract
2.1 Are you processing the personal data to perform a contract with the individual?
The first part of this lawful basis is relevant if you have a contract with the individual and you need to process their personal data:
- to comply with your obligations under the contract; or
- so that they can comply with specific counter-obligations under the contract (eg, processing their payment details).
It does not apply to:
- processing of personal data of anyone other than the contract holder; or
- collection and reuse of customer data for your own business purposes, even if your standard contractual terms or commercial model provide for this.
2.2 Are you processing the personal data to take steps that the individual has asked you to take, prior to entering into a contract with them?
The second part of this lawful basis is relevant if you have not yet got a contract with the individual, but they have asked you to do something as a precursor to the contract with them (eg, provide a quote) and you need to process their personal data to fulfil their request.
It does not apply to:
- pre-contractual steps that you take on your own initiative (eg, credit checks – see ‘legitimate interests’);
- processing done to meet other obligations; or
- processing done at the request of a third party.
It does not matter that the person does not ultimately enter into a contract; the key issue is that the processing was in the context of a potential contract with that individual.
2.3 Is the processing necessary for this purpose?
The processing needs to be necessary to perform the contract with the individual or take the pre-contract steps that they ask you to take. See general notes above.
2.4 Do any other lawful bases need to be considered?
If you satisfy this lawful basis, it is not necessary to obtain consent as well. However, if a specific lawful basis does not cover all your reasons for processing the personal data in the relevant context, you must look to satisfy an additional lawful basis or bases for the remainder of the processing. See Step 1 above and Steps 3 to 6 below.
Step 3 – Performance of a legal obligation
3.1 Are you processing the personal data to comply with your legal obligations?
This lawful basis is relevant if you have to process individuals’ personal data to comply with a legal obligation that applies to your organisation.
It applies to UK (and, where the EU GDPR applies, to EU):
- common law obligations;
- statutory obligations;
- regulatory requirements that have a statutory basis and require regulated organisations to comply; and
- court orders.
It does not apply to contractual obligations – this typically comes within ‘performance of contract’ (see above) or ‘legitimate interests’ (for third party obligations, see below).
3.2 Is the processing necessary for this purpose?
The processing needs to be necessary to perform the legal obligation, as a reasonable and proportionate way of complying. This basis will not be available if you can exercise discretion over whether or not to process the personal data, or if compliance could be achieved by other reasonable means. See general notes above.
3.3 Do any other lawful bases need to be considered?
See Steps 1 and 2 above and 4 to 6 below.
Step 4 – Protection of vital interests
4.1 Are you processing the personal data to protect the individual’s vital interests?
This lawful basis is relevant if you have to process personal data to protect someone’s life. It is a narrow lawful basis of last resort that applies to ‘life and death’ situations, eg, emergency medical care when a person is incapable of giving consent.
If health data is being processed, you will also need to satisfy an exemption / condition for processing special category data (see article 9, GDPR and Schedule 1, UK DPA 2018).
4.2 Are you processing the personal data to protect another person’s vital interests?
Processing of one individual’s personal data to protect the vital interests of another may be relevant, for instance, where you need to process a parent’s personal data to protect a child’s vital interests. The same considerations as outlined in 4.1 above apply here as well.
4.3 Is the processing necessary for this purpose?
The processing needs to be necessary to protect the vital interests of the individual or third party. If you can reasonably protect the person’s vital interests in another less intrusive way, this basis will not be appropriate. See general notes above.
4.4 Do any other lawful bases need to be considered?
See Steps 1 to 3 above and 5 and 6 below.
Step 5 – Performance of a task in the public interest or exercising official authority
5.1 Are you processing the personal data to fulfil tasks that are in the ‘public interest’?
The first part of this lawful basis is relevant if you have to process individuals’ personal data to perform a task in the public interest that is set out in UK domestic law. This includes clear common law tasks, functions or powers, plus those set out in statute or statutory guidance.
If you are processing special category data, you also need to satisfy an exemption for processing this type of data (see article 9, GDPR and Schedule 1, UK DPA 2018).
5.2 Are you processing the personal data as part of your official powers?
The second part of this lawful basis is relevant if you have to process individuals’ personal data ‘in the exercise of official authority’, ie, to carry out public functions and powers that are set out in law (see section 8, UK DPA 2018). This is mainly relevant to public sector organisations.
Again, if you are processing special category data, you also need to satisfy an exemption for processing this type of data (see Schedule 1, UK DPA 2018).
5.3 Is the processing necessary for this purpose?
The processing needs to be necessary to perform the task in the public interest or exercise the official authority – this basis will not be available if you could reasonably perform your tasks or exercise your authority in a less intrusive way or without processing personal data. See general notes above.
5.4 Do any other lawful bases need to be considered?
See Steps 1 to 4 above and 6 below.
Step 6 – Legitimate interests
6.1 Are you processing the personal data to further your own legitimate interests?
Legitimate interests can include business interests, individual interests or broader societal benefits. According to the ICO’s legitimate interests guidance, this basis ‘is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.’
The UK GDPR and ICO guidance lists non-exhaustively certain processing activities and purposes that will be ‘legitimate interests’, such as fraud prevention, network and information security and indicating possible criminal acts or threats to public security. In addition, the GDPR indicates that legitimate interests may (but will not always) apply to processing employee or client data; direct marketing; or intra-group administrative transfers.
Public authorities can rely on legitimate interests only to the extent that they are processing personal data for a legitimate reason outside their tasks as a public authority.
6.2 Are you processing the personal data to further the legitimate interests of a third party?
Similar considerations apply to processing that is in the legitimate interests of a third party – see notes in 6.1 above.
6.3 Is the processing necessary for this purpose?
The processing needs to be necessary for the purposes of your or the third party’s legitimate interests – this basis will not be available if you could reasonably fulfil these purposes in a less intrusive way or without processing personal data. See general notes above.
6.4 Have you satisfied the ‘balancing test’, and have you satisfied any other applicable requirements?
It is not enough to simply have a legitimate interest – detailed requirements must be met to be able rely on this basis, eg carrying out a three-stage test (purpose, necessity and balancing test) and keeping a record of this. The ICO also recommends doing a legitimate interests assessment (LIA).
It may also be necessary to provide an opt-out and give effect to individuals’ right to object to processing on the basis of legitimate interests, and to implement additional safeguards to protect people’s rights.
6.5 Do any other lawful bases need to be considered?
See Steps 1 to 5 above. If you need consent under other legislation, eg the electronic marketing rules under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), the ICO’s position is that you should also be relying on consent under the GDPR.
Additional resources
Legitimate interests | ICO
Consent | ICO
EDPB consent guidelines
EDPB social media guidelines
Contract | ICO
EDPB online services guidelines
Legal obligation | ICO
Vital interests | ICO
Public task | ICO
Related Lexology Pro content
How-to guides:
Understanding key data protection definitions
How to ensure compliance with the GDPR
How to comply with data processing principles under the GDPR
How to establish a valid lawful basis for processing personal data under the GDPR
How to transfer personal data lawfully outside the UK
How to reduce the risk of a GDPR data breach
How to deal with a GDPR data breach
How to deal with an ICO dawn raid
Checklists:
GDPR compliance self-assessment audit
Assessing whether an organisation is a controller or processor under the GDPR
Processor due diligence (data protection and cyber security)
Obtaining and managing consent under the GDPR
What to include in your organisation’s privacy notice
Data subject access rights under the GDPR
When and how to appoint a data protection officer
Making an international transfer of personal data under the UK GDPR
Complying with cookie requirements under the PECR and the GDPR
Reliance on information posted:
While we use reasonable endeavours to provide up to date and relevant materials, the materials posted on our site are not intended to amount to advice on which reliance should be placed. They may not reflect recent changes in the law and are not intended to constitute a definitive or complete statement of the law. You may use them to stay up to date with legal developments but you should not use them for transactions or legal advice and you should carry out your own research. We therefore disclaim all liability and responsibility arising from any reliance placed on such materials by any visitor to our site, or by anyone who may be informed of any of its contents.