How-to guide: How to establish a valid lawful basis for processing personal data under the GDPR (UK)

Updated as of: 02 March 2025

Introduction

This guide will inform in-house counsel and private practitioners about the lawful bases upon which personal data can be processed in terms of article 6 of the General Data Protection Regulation (GDPR). This will assist them when advising internal or external clients about these issues.

The guide is UK-focused and focuses on the requirements under the UK GDPR, but also covers:

  • general requirements under the EU GDPR, as these may still be relevant to some UK organisations to which the EU GDPR applies due to the application of the extra-territorial scope provisions in article 3(2), EU GDPR; and
  • the Information Commissioner’s Office’s (ICO) interpretation of such EU GDPR requirements.

However, it does not cover any local European Economic Area (EEA) data protection law requirements or interpretation of the EU GDPR by EEA data protection regulators. References to the ‘GDPR’ mean either the EU GDPR or the UK GDPR (as defined in part 1, section 3, Data Protection Act 2018 (UK DPA 2018)), unless otherwise specified.

This guide covers the following:

  1. The requirement to have a lawful basis to process personal data
  2. The available lawful bases for processing personal data
  3. Processing special category and criminal data
  4. Inability to find a valid lawful basis for processing personal data
  5. Other requirements to ensure that personal data is processed lawfully

Key definitions, such as ‘controller’, ‘processor’, ‘data subject’, ‘personal data’ and ‘processing’ are further explained in How-to guide: Understanding key data protection definitions.

This guide is intended to be used in conjunction with Checklist: Lawful processing of personal data under the GDPR. The checklist is designed to help you decide which of the six bases is the most appropriate lawful one to rely on for your relevant processing situation and, accordingly, if personal data is being processed lawfully.

Section 1 – The requirement to have a lawful basis to process personal data

Article 6, GDPR requires that an organisation’s processing of personal data comes within one of six bases (or reasons) in order for that processing to be lawful. The six bases are described in more detail in section 2. This requirement only applies to controllers.

Multiple lawful bases may apply to the same data if you are processing it for different reasons. For example, if an individual has a free choice over some elements of the processing, consent will be the appropriate basis for those but you would need a separate lawful basis for the other elements. 

Each lawful basis (aside from consent) includes a requirement that the processing must be ‘necessary’ for a specific purpose. According to the ICO’s lawful basis guidance, ‘the question is whether the processing is objectively necessary for the stated purpose, not whether it is a necessary part of your chosen methods’.

This guide focuses only on processing personal data that is not ‘special category personal data’ or ‘criminal data’. Additional requirements apply to these types of more sensitive information, which are explained only briefly below in section 3. Specific requirements applicable to children’s consent are not covered in this checklist. The ICO’s guidance on children and the UK GDPR has more information on this. The ICO’s 10 Step Guide to Sharing Information to Sharing Information to Safeguard Children is also relevant when processing personal data relating to children for safeguarding purposes.

Section 2 – The available lawful bases for processing personal data

The GDPR requires that an organisation’s processing of personal data comes within one of six bases (or reasons) in order for that processing to be lawful. These are as follows:

  • consent of the data subject;
  • performance of contract;
  • performance of a legal obligation;
  • protection of vital interests;
  • performance of a task in the public interest or exercising official authority; and
  • legitimate interests.

These are each explained in more detail below. See also Checklist: Lawful processing of personal data under the GDPR to help you decide which of the six bases is the most appropriate to rely on for your relevant processing.

2.1 Consent of the data subject

Processing will be lawful to the extent that ‘the data subject has given consent to the processing of his or her personal data for one or more specific purposes’ (article 6(1)(a), GDPR).

Consent is not always required, and may not always be appropriate, but the data subject’s consent is one basis that may be relied on to lawfully process personal data. Processing that relies on consent must be for one or more specific purposes (rather than being a blanket consent).

2.1.1 What are the specific requirements for valid GDPR-standard consent?

For the consent to be valid, it must meet the requirements under recitals 32 and 43, and articles 4(11) and 7 of the GDPR, including that:

  • the consent request must be prominent and separate from other terms and conditions;
  • the consent must be:
    • active (ie, a positive opt-in);
    • fully informed;
    • freely given;
    • unambiguous;
    • specific and granular;
    • recorded; and
    • as easy to withdraw as it is to give, and the individual must be informed of their rights to withdraw consent upfront; and
  • the consent must not use pre-ticked boxes or any other method of default consent.

2.1.2 When is consent not likely to be appropriate?

Consent will generally not be the most appropriate lawful basis if:

  • you are unable to offer the individual a genuine choice regarding the processing of their personal data;
  • you are looking to make consent a precondition of a service;
  • the individual would be likely to suffer detriment if they refuse consent;
  • you are unable to deal with requests to withdraw consent;
  • your organisation is a public authority or employer or is in a position of power over individuals (that cannot be addressed by taking specific measures to try to ensure the individual has a genuine free choice);
  • you do not have a record of the consent that was given; or
  • there is a more appropriate lawful basis that you should rely on instead.

2.1.3 When is consent likely to be appropriate?

Relying on consent is likely to be appropriate where:

  • there are no alternative more appropriate lawful bases available;
  • you are able to offer individuals a genuine and free choice about whether or not to consent;
  • you have a mechanism for dealing with consent withdrawals; and/or
  • you need consent under other legislation, for example, the electronic marketing rules under the Privacy and Electronic Communications (EC Directive) Regulations 2003. The ICO’s position is that in that case you should also be relying on consent under the GDPR.

For a detailed checklist on obtaining consent under UK GDPR, see Checklist: Obtaining and managing consent under the GDPR. For guidance on obtaining consent to cookies, see Checklist: Complying with cookie requirements under PECR and the UK GDPR.

2.1.4 How long is consent valid for?

How long consent will remain valid for will depend on the context. Consents must be kept under review and refreshed at appropriate intervals (as determined by the relevant context, considering factors such as any product or service-specific sales cycles and the reasonable expectations of the data subject).

For further information on consent, see ICO guidance on consent, European Data Protection Board (EDPB) consent guidelines and EDPB social media guidelines

2.2 Performance of contract

Processing will be lawful to the extent that ‘processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract’ (article 6(1)(b), GDPR).

The first part of this lawful basis (ie, that processing is necessary for the performance of a contract to which the data subject is party) is relevant if you have a contract with the individual and you need to process their personal data: 

  • to comply with your obligations under the contract; or
  • so that they can comply with specific counter-obligations under the contract (eg, processing their payment details).

It does not apply to:

  • processing the personal data of anyone other than the contract holder; or
  • collection and reuse of customer data for your own business purposes, even if your standard contractual terms or commercial model provide for this. 

The second part of this lawful basis (ie, that processing is necessary in order to take steps at the request of the data subject prior to entering into a contract) is relevant if you have not yet got a contract with the individual, but they have asked you to do something as a precursor to the contract with them (eg, provide a quote) and you need to process their personal data to fulfil their request.

It does not apply to:

  • pre-contractual steps that you take on your own initiative (eg, credit checks – see section 2.6 on legitimate interests);
  • processing done to meet other obligations; or
  • processing done at the request of a third party. 

It does not matter that the person does not ultimately enter into a contract; the key issue is that the processing was in the context of a potential contract with that individual. 

The processing needs to be necessary (see Section 1) to perform the contract with the individual or take the pre-contract steps that they ask you to take.

For further information on performance of contract, see the ICO’s guidance on contracts and EDPB online services guidelines.

2.3 Performance of a legal obligation

Processing will be lawful to the extent that ‘processing is necessary for compliance with a legal obligation to which the controller is subject’ (article 6(1)(c), GDPR).

This lawful basis is relevant if you have to process individuals’ personal data to comply with a legal obligation that applies to your organisation.

It applies to the UK (and, where the EU GDPR applies, to the EU) in relation to:

  • common law obligations;
  • statutory obligations;
  • regulatory requirements that have a statutory basis and require regulated organisations to comply; and
  • court orders.

It does not apply to contractual obligations – this typically comes within ‘performance of contract’ (see 2.2) or ‘legitimate interests’ (for third party obligations, see 2.6).

The processing needs to be necessary to perform the legal obligation, as a reasonable and proportionate way of complying. This basis will not be available if you can exercise discretion over whether or not to process the personal data, or if compliance could be achieved by other reasonable means.

For further information on performance of a legal obligation, see the ICO’s guidance on legal obligations.

2.4 Protection of vital interests

Processing will be lawful to the extent that it is ‘necessary in order to protect the vital interests of the data subject or of another natural person’ (article 6(1)(d), GDPR).

This lawful basis is relevant if you have to process personal data to protect someone’s life. It is a narrow lawful basis of last resort that applies to ‘life and death’ situations, for example, emergency medical care when a person is incapable of giving consent.

If health data is being processed, you will also need to satisfy an exemption or condition for processing special category data (see article 9, GDPR and schedule 1, UK DPA 2018).

Processing of one individual’s personal data to protect the vital interests of another may be relevant, for instance, where you need to process a parent’s personal data to protect a child’s vital interests.

The processing needs to be necessary to protect the vital interests of the individual or third party. If you can reasonably protect the person’s vital interests in another less intrusive way, this basis will not be appropriate.

For further information on vital interests, see the ICO’s guidance on vital interests and the Statement by the EDPB Chair on the processing of personal data in the context of the COVID-19 outbreak.

2.5 Performance of a task in the public interest or exercising official authority

Processing will be lawful to the extent that it is ‘necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’ (article 6(1)(e), GDPR).

The first part of this lawful basis (ie, that processing is necessary for the performance of a task carried out in the public interest) is relevant if you have to process individuals’ personal data to perform a task in the public interest that is set out in UK domestic law. This includes clear common law tasks, functions or powers, plus those set out in statute or statutory guidance.  As such, this lawful basis would cover processing necessary for:

  • the administration of justice;
  • parliamentary functions;
  • statutory functions;
    governmental functions;
  • activities that support or promote democratic engagement; and
  • certain other official non-statutory functions or public interest tasks.

The second part of this lawful basis (ie, that processing is necessary in the exercise of official authority vested in the controller) is relevant if you have to process individuals’ personal data ‘in the exercise of official authority’, ie, to carry out public functions and powers that are set out in law (see section 8, UK DPA 2018). This is mainly relevant to public sector organisations.

The processing needs to be necessary to perform the task in the public interest or exercise the official authority – this basis will not be available if you can reasonably perform your tasks or exercise your authority in a less intrusive way or without processing personal data.

For further information on performance of a task in the public interest or exercising official authority, see the ICO’s guidance on public tasks.

2.6 Legitimate interests

Processing will be lawful to the extent that it is ‘necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child’ (article 6(1)(f), GDPR).

Legitimate interests can include business interests, individual interests or broader societal benefits. According to the ICO’s legitimate interests guidance, this basis ‘is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing’.

The UK GDPR and ICO guidance list, non-exhaustively, certain processing activities and purposes that will be ‘legitimate interests’, such as fraud prevention and network and information security, and indicating possible criminal acts or threats to public security. In addition, the GDPR indicates (at recital 47) that legitimate interests may (but will not always) apply to processing employee or client data, direct marketing, or intra-group administrative transfers.

Public authorities can rely on legitimate interests only to the extent that they are processing personal data for a legitimate reason outside their tasks as a public authority.

The processing needs to be necessary for the purposes of your or the third party’s legitimate interests – this basis will not be available if you can reasonably fulfil these purposes in a less intrusive way or without processing personal data.

It is not enough to simply have a legitimate interest – detailed requirements must be met to be able rely on this basis, for example, carrying out a three-stage balancing test and keeping a record of this. The ICO also recommends doing a legitimate interests assessment (LIA) and provides an LIA tool for this purpose. 

It may also be necessary to provide an opt-out and give effect to an individual’s right to object to processing on the basis of legitimate interests, and to implement additional safeguards to protect individuals’ rights (what will be appropriate will depend on the context).

For further information on legitimate interests, see the ICO’s guidance on legitimate interests and EDPB social media guidelines.

Section 3 – Processing special category and criminal data

3.1 Special category data

Article 9, GDPR designates special categories of personal data as:

personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Additional requirements must be met in order to make processing of such data lawful. Processing of these more sensitive categories of data will not be lawful unless it satisfies both:

  • a lawful basis under article 6, GDPR; and
  • an exemption or condition under article 9, GDPR and schedule 2, UK DPA 2018.

See the section on special category data in How-to guide: How to ensure compliance with the GDPR.

3.2 Criminal data

Additional requirements apply in order to make processing of certain types of criminal data lawful. Criminal data means ‘criminal convictions and offences or related security measures based on article 6(1)’ (article 10, GDPR).

Processing of these more sensitive categories of data will not be lawful unless it satisfies both:

  • a lawful basis under article 6, GDPR; and
  • an exemption or condition under article 10, GDPR and schedule 2, UK DPA 2018.

See the section on criminal data in How-to guide: How to ensure compliance with the GDPR.

Section 4 – Inability to find a valid lawful basis for processing personal data

If your processing does not fall within one of the bases set out in section 2, you will be unable to process personal data lawfully. You may need to consider other options such as not using personal data.

Section 5 – Other requirements to ensure that personal data is processed lawfully

You should document your organisation’s decisions about which of the lawful bases applies to your data processing. This will also help with demonstrating compliance with this aspect of the GDPR. Completing the Checklist: Lawful processing of personal data under the GDPR will help you to do this.

You should also record the lawful bases your organisation relies on as a controller in your organisation’s records of processing activities (ROPAs) pursuant to article 30 GDPR. You need to regularly review and update these as your organisation’s processing operations evolve over time.

However, the requirements in article 6, GDPR are not the only obligations that an organisation needs to meet to ensure that personal data processing is lawful. The various other provisions of the GDPR and UK DPA 2018 (such as the data protection principles relating to the processing of personal data in article 5, GDPR) must be complied with, as well as any other applicable laws and industry-specific rules.

Additional resources

ICO, Guide to the UK General Data Protection Regulation (UK GDPR)

Related Lexology Pro content

How-to guides:

Understanding key data protection definitions
How to ensure compliance with the GDPR
How to comply with data processing principles under the GDPR
How to transfer personal data lawfully outside the UK
How to reduce the risk of a GDPR data breach
How to deal with a GDPR data breach
How to deal with an ICO dawn raid

Checklists:

GDPR compliance self-assessment audit
Lawful processing of personal data under the GDPR
Assessing whether an organisation is a controller or processor under the GDPR
Processor due diligence (data protection and cyber security)
Obtaining and managing consent under the GDPR
What to include in your organisation’s privacy notice
Data subject access rights under the GDPR
When and how to appoint a data protection officer
Making an international transfer of personal data under the UK GDPR
Complying with cookie requirements under the PECR and the GDPR

Reliance on information posted:

While we use reasonable endeavours to provide up to date and relevant materials, the materials posted on our site are not intended to amount to advice on which reliance should be placed. They may not reflect recent changes in the law and are not intended to constitute a definitive or complete statement of the law. You may use them to stay up to date with legal developments but you should not use them for transactions or legal advice and you should carry out your own research. We therefore disclaim all liability and responsibility arising from any reliance placed on such materials by any visitor to our site, or by anyone who may be informed of any of its contents. 

Filed under

Topics

Laws