How-to guide: How to establish a valid lawful basis for processing personal data under the GDPR (EU)

Updated as of: 02 March 2025

Related contract templates:

Compliance Audit Questionnaire (GDPR)

Introduction

This guide provides guidance to in-house counsel and private practitioners about the lawful bases upon which personal data can be processed, in accordance with article 6 of Regulation (EU) 2016/679 – General Data Protection Regulation (EU GDPR). This will assist when advising internal or external clients about these issues.

The guide is EU-focused and examines the requirements under the EU GDPR, in particular:

  • the general requirements under the EU GDPR; and
  • the European Data Protection Board (EDPB) and, where relevant, EU member states’ supervisory authorities’ interpretation of such EU GDPR requirements.

This guide does not address UK-specific data protection law requirements. However, it should be noted that the UK retained the EU GDPR in domestic law following Brexit (commonly referred to as the UK GDPR), with necessary changes to accommodate domestic areas of UK law. Therefore, insofar as the supervisory authority of the UK (the Information Commissioner’s Office (ICO)) has published guidelines specific to the EU GDPR (prior to Brexit) and the UK GDPR (after Brexit), such guidelines can assist when providing a helpful overview of the subject matter in this guide.

This guide covers the following:

  1. The requirement to have a lawful basis to process personal data
  2. The available lawful bases for processing personal data
  3. Processing special category and criminal data
  4. Inability to find a valid lawful basis for processing personal data
  5. Other requirements to ensure that personal data is processed lawfully

Key definitions, such as ‘controller’, ‘processor’, ‘data subject’, ‘personal data’ and ‘processing’ are further explained in How-to guide: Understanding key data protection definitions.

This guide is intended to be used in conjunction with Checklist: Lawful processing of personal data under the GDPR. The checklist is designed to help you decide which of the six bases is the most appropriate lawful one to rely on for your relevant processing situation and, accordingly, if personal data is being processed lawfully.

Section 1 – The requirement to have a lawful basis to process personal data

Article 6 of the EU GDPR requires that an organisation’s processing of personal data comes within one of six bases (or reasons) in order for that processing to be lawful. The six bases are described in more detail in Section 2. This requirement only applies to controllers.

Multiple lawful bases may apply to the same data if you are processing it for different reasons. For example, if an individual has a free choice over some elements of the processing, consent will be the appropriate basis for those but you would need a separate lawful basis for the other elements. According to the legal bases for processing personal data guidance note published by Ireland’s Data Protection Commission (DPC), ‘there is no hierarchy or preferred option within this list [of lawful bases], instead each instance of processing should be based on the legal basis which is most appropriate in the specific circumstances’. The EDPB has clarified in its own guidelines that ‘the application of one of these six bases must be established prior to the processing activity and in relation to a specific purpose’.

Each lawful basis (aside from consent) includes a requirement that the processing must be ‘necessary’ for a specific purpose. According to the UK ICO’s lawful basis guidance, ‘the question is whether the processing is objectively necessary for the stated purpose, not whether it is a necessary part of your chosen methods’.

This guide focuses only on processing personal data that is not ‘special category personal data’ or ‘criminal data’. Additional requirements apply to these types of more sensitive information, which are explained only briefly in Section 3 below. Specific requirements applicable to children’s consent are not covered in this guide. Ireland’s DPC guidance on children and the GDPR has more information on this.

Section 2 – The available lawful bases for processing personal data

The EU GDPR requires that an organisation’s processing of personal data comes within one of six bases (or reasons) in order for that processing to be lawful. These are as follows:

  • consent of the data subject;
  • performance of contract;
  • performance of a legal obligation;
  • protection of vital interests;
  • performance of a task in the public interest or exercising official authority; and
  • legitimate interests.

These are each explained in more detail below. See also Checklist: Lawful processing of personal data under the GDPR to help you decide which of the six bases is the most appropriate to rely on for your relevant processing.

2.1 Consent of the data subject

Processing will be lawful to the extent that ‘the data subject has given consent to the processing of his or her personal data for one or more specific purposes’ (article 6(1)(a), EU GDPR).

Consent is not always required, and may not always be appropriate, but the data subject’s consent is one basis that may be relied on to lawfully process personal data. Processing that relies on consent must be for one or more specific purposes (rather than being a blanket consent).

2.1.1 What are the specific requirements for valid GDPR-standard consent?

For the consent to be valid, it must meet the requirements under recitals 32 and 43, and articles 4(11) and 7 of the EU GDPR, including that:

  • the consent request must be prominent and separate from other terms and conditions;
  • the consent must be:
    • active (ie, a positive opt-in);
    • fully informed;
    • freely given;
    • unambiguous;
    • specific and granular;
    • recorded; and
    • as easy to withdraw as it is to give, and the individual must be informed of their rights to withdraw consent upfront; and
  • the consent must not use pre-ticked boxes or any other method of default consent.

2.1.2 When is consent not likely to be appropriate?

Consent will generally not be the most appropriate lawful basis if:

  • you are unable to offer the individual a genuine choice regarding the processing of their personal data;
  • you are looking to make consent a precondition of a service;
  • the individual would be likely to suffer detriment if they refuse consent;
  • you are unable to deal with requests to withdraw consent;
  • your organisation is a public authority or employer or is in a position of power over individuals (that cannot be addressed by taking specific measures to try to ensure the individual has a genuine free choice);
  • you do not have a record of the consent that was given; or
  • there is a more appropriate lawful basis that you should rely on instead.

2.1.3 When is consent likely to be appropriate?

Relying on consent is likely to be appropriate where:

  • there are no alternative more appropriate lawful bases available;
  • you are able to offer individuals a genuine and free choice about whether or not to consent;
  • you have a mechanism for dealing with consent withdrawals; and/or
  • you need consent under other legislation, for example, the electronic marketing rules under Directive (EU) 2002/58 – ePrivacy Directive (which, by reason of being a directive, is transposed with some degree of variance into the domestic laws of EU member states and European Economic Area jurisdictions resulting in some EU jurisdictions forming differing views with respect to when consent is required for electronic marketing purposes).

2.1.4 How long is consent valid for?

How long consent will remain valid for will depend on the context. Consents must be kept under review and refreshed at appropriate intervals (as determined by the relevant context, considering factors such as any product or service-specific sales cycles and the reasonable expectations of the data subject).

For further information on consent, see the EDPB consent guidelines and the EDPB social media guidelines

2.2 Performance of contract

Processing will be lawful to the extent that ‘processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract’ (article 6(1)(b), EU GDPR).

The first part of this lawful basis (ie, that processing is necessary for the performance of a contract to which the data subject is party) is relevant if you have a contract with the individual and you need to process their personal data:

  • to comply with your obligations under the contract; or
  • so that they can comply with specific counter-obligations under the contract (eg, processing their payment details).

It does not apply to:

  • processing the personal data of anyone other than the contract holder; or
  • collection and reuse of customer data for your own business purposes, even if your standard contractual terms or commercial model provide for this.

The second part of this lawful basis (ie, that processing is necessary in order to take steps at the request of the data subject prior to entering into a contract) is relevant if you have not yet got a contract with the individual, but they have asked you to do something as a precursor to the contract with them (eg, provide a quote) and you need to process their personal data to fulfil their request.

It does not apply to:

  • pre-contractual steps that you take on your own initiative (eg, credit checks – see Section 2.6 on legitimate interests);
  • processing done to meet other obligations; or
  • processing done at the request of a third party.

It does not matter that the person does not ultimately enter into a contract; the key issue is that the processing was in the context of a potential contract with that individual.

The processing needs to be necessary (see Section 1) to perform the contract with the individual or to take the pre-contract steps that they ask you to take.

For further information on performance of contract, see the EDPB online services guidelines, Ireland’s DPC guidance on data controller to data processor contracts under the EU GDPR and see the UK ICO’s guidance on contracts.

2.3 Performance of a legal obligation

Processing will be lawful to the extent that ‘processing is necessary for compliance with a legal obligation to which the controller is subject’ (article 6(1)(c), EU GDPR).

This lawful basis is relevant if you have to process individuals’ personal data to comply with a legal obligation that applies to your organisation.

It applies to the EU in relation to:

  • common and civil law obligations;
  • statutory obligations;
  • regulatory requirements that have a statutory basis and require regulated organisations to comply; and
  • court orders.

It does not apply to contractual obligations – this typically comes within ‘performance of contract’ (see Section 2.2) or ‘legitimate interests’ (for third party obligations, see Section 2.6).

The processing needs to be necessary to perform the legal obligation as a reasonable and proportionate way of complying. This basis will not be available if you can exercise discretion over whether or not to process the personal data, or if compliance could be achieved by other reasonable means.

For further information on performance of a legal obligation, see the legal obligation section of Ireland’s DPC guidance on the legal bases for processing personal data and the UK ICO’s guidance on legal obligations.

2.4 Protection of vital interests

Processing will be lawful to the extent that it is ‘necessary in order to protect the vital interests of the data subject or of another natural person’ (article 6(1)(d), EU GDPR).

This lawful basis is relevant if you have to process personal data to protect someone’s life. It is a narrow lawful basis of last resort that applies to ‘life and death’ situations, for example, emergency medical care when a person is incapable of giving consent.

If health data is being processed, you will also need to satisfy an exemption or condition for processing special category data (see article 9, EU GDPR).

Processing of one individual’s personal data to protect the vital interests of another may be relevant, for instance, where you need to process a parent’s personal data to protect a child’s vital interests.

The processing needs to be necessary to protect the vital interests of the individual or third party. If you can reasonably protect the person’s vital interests in another less intrusive way, this basis will not be appropriate.

For further information on vital interests, see the vital interests section of Ireland’s DPC guidance on the legal bases for processing personal data, the statement by the EDPB Chair on the processing of personal data in the context of the COVID-19 outbreak and the UK ICO’s guidance on vital interests.

2.5 Performance of a task in the public interest or exercising official authority

Processing will be lawful to the extent that it is ‘necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’ (article 6(1)(e), EU GDPR).

The first part of this lawful basis (ie, that processing is necessary for the performance of a task carried out in the public interest) is relevant if you have to process individuals’ personal data to perform a task in the public interest that is set out in the relevant member state’s domestic law. This includes clear common law tasks, functions or powers, plus those set out in statute or statutory guidance. As such, this lawful basis would cover processing necessary for:

  • the administration of justice;
  • parliamentary functions;
  • statutory functions;
  • governmental functions;
  • activities that support or promote democratic engagement; and
  • certain other official non-statutory functions or public interest tasks.

For example, article 43 of Directive (EU) 2015/849 – The Fourth Anti-Money Laundering Directive provides ‘the processing of personal data on the basis of this Directive for the purposes of the prevention of money laundering and terrorist financing … shall be considered to be a matter of public interest under Regulation (EU) 2016/679 of the European Parliament and of the Council’.

The second part of this lawful basis (ie, that processing is necessary in the exercise of official authority vested in the controller) is relevant if you have to process individuals’ personal data ‘in the exercise of official authority’ (ie, to carry out public functions and powers that are set out in law). This is mainly relevant to public sector organisations.

The processing needs to be necessary to perform the task in the public interest or exercise the official authority; this basis will not be available if you can reasonably perform your tasks or exercise your authority in a less intrusive way or without processing personal data.

For further information on performance of a task in the public interest or exercising official authority, see the appropriate section of the EDPB’s guidance on location data contact tracing tools in the context of the COVID-19 outbreak, the public tasks section of Ireland’s DPC’s guidance on the legal bases for processing personal data and the UK ICO’s guidance on public tasks.

2.6 Legitimate interests

Processing will be lawful to the extent that it is ‘necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child’ (article 6(1)(f), EU GDPR).

Legitimate interests can include business interests, individual interests or broader societal benefits. The EDPB has published Guidelines on using legitimate interest as a legal basis for processing and according to the UK ICO’s legitimate interests guidance, this basis ‘is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing’.

The EU GDPR lists, non-exhaustively, certain processing activities and purposes that will be ‘legitimate interests’, such as fraud prevention and network and information security, and indicating possible criminal acts or threats to public security. In addition, the EU GDPR points out (at recital 47) that legitimate interests may (but will not always) apply to processing employee or client data, direct marketing, or intra-group administrative transfers.

Public authorities can rely on legitimate interests only to the extent that they are processing personal data for a legitimate reason outside their tasks as a public authority.

The processing needs to be necessary for the purposes of your or the third party’s legitimate interests. This basis will not be available if you can reasonably fulfil these purposes in a less intrusive way or without processing personal data.

It is not enough to simply have a legitimate interest – detailed requirements must be met to be able rely on this basis, for example, carrying out a three-stage balancing test and keeping a record of this. The EDPB Guidelines on using legitimate interest as a legal basis for processing provides guidance on the balancing test.

It is not enough to simply have a legitimate interest, the legitimate interest must not be overridden by the interests or fundamental rights and freedoms of individuals (such as financial, social or personal interests).  It should take into account the reasonable expectations of those individuals, based on the relationship between the organisation and the individuals, and the controller should implement mitigating measures that limit the impact of the processing.

The fundamental rights and freedoms of individuals include the right to data protection and privacy, but also other rights eg, right to liberty and security, freedom of expression and information, freedom of thought, conscience and religion, freedom of assembly and association, prohibition of discrimination, the right of property, or the right to physical and mental integrity.

Condition 32 of the Guidelines sets out that the controller must be able to identify and describe:

  • The data subjects’ interests, fundamental rights and freedoms;

  • The impact of the processing on data subjects, including:

    • The nature of the data to be processed;

    • The context of the processing; and

    • Any further consequences of the processing; and 

  • The reasonable expectations of the data subject. 

The final balancing of opposing rights and interests, including the possibility of further mitigating measures.

The UK ICO also recommends doing a legitimate interests assessment (LIA) and provides an LIA tool for this purpose. The practice of LIAs to support an organisation’s reliance on legitimate interest as a lawful ground is finding favour and can be found in recent EU supervisory authority investigations and enforcement actions

It may also be necessary to provide an opt out and give effect to an individual’s right to object to processing on the basis of legitimate interests, and to implement additional safeguards to protect individuals’ rights (what will be appropriate will depend on the context).

For further information on legitimate interests, see EDPB social media guidelines, the legitimate interests section of Ireland’s DPC’s guidance on the legal bases for processing personal data and the UK ICO’s guidance on legitimate interests.

Section 3 – Processing special category and criminal data

3.1 Special category data

Article 9 of the EU GDPR designates special categories of personal data as 'personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation'.

Additional requirements must be met in order to make processing of such data lawful. Processing of these more sensitive categories of data will not be lawful unless it satisfies both:

  • a lawful basis under article 6 of the EU GDPR; and
  • an exemption or condition under article 9 of the EU GDPR.

See the section on special category data in How-to guide: How to ensure compliance with the GDPR.

3.2 Criminal data

Additional requirements apply in order to make processing of certain types of criminal data lawful. Criminal data means ‘criminal convictions and offences or related security measures based on article 6(1)’ (article 10, EU GDPR).

Processing of these more sensitive categories of data will not be lawful unless it satisfies both:

  • a lawful basis under article 6 of the EU GDPR; and
  • an exemption or condition under article 10 of the EU GDPR.

See the section on criminal data in How-to guide: How to ensure compliance with the GDPR.

Section 4 – Inability to find a valid lawful basis for processing personal data

If your processing does not fall within one of the bases set out in Section 2, you will be unable to process personal data lawfully. You may need to consider other options such as not using personal data.

Section 5 – Other requirements to ensure that personal data is processed lawfully

You should document your organisation’s decisions about which of the lawful bases applies to your data processing. This will also help with demonstrating compliance with this aspect of the EU GDPR. Completing the Checklist: Lawful processing of personal data under the GDPR will help you to do this.

You should also record the lawful bases your organisation relies on as a controller in your organisation’s records of processing activities (ROPAs) pursuant to article 30 of the EU GDPR. You need to regularly review and update these as your organisation’s processing operations evolve over time.

However, the requirements in article 6 of the EU GDPR are not the only obligations that an organisation needs to meet to ensure that personal data processing is lawful. Other various provisions of the EU GDPR (such as the data protection principles relating to the processing of personal data in article 5) must be complied with, as well as any other applicable laws and industry-specific rules.

Additional resources

EDPB, EU GDPR Guidelines, Recommendations and Best Practices

Related Lexology Pro content

How-to guides:

Understanding key data protection definitions 
How to comply with data processing principles under the GDPR
How to ensure compliance with the GDPR
How to transfer personal data lawfully outside the European Economic Area 
How to reduce the risk of a GDPR data breach 
How to deal with a GDPR data breach 
How to deal with a supervisory authority dawn raid 

Checklists:

GDPR compliance self-assessment audit 
Assessing whether an organisation is a controller or processor under the GDPR 
Lawful processing of personal data under the GDPR 
Obtaining and managing consent under the GDPR 
Processor due diligence (data protection and cybersecurity) 
Making an international transfer of personal data under the GDPR 
Data subject access rights under the GDPR 
What to include in your organisation’s privacy notice 
When and how to appoint a data protection officer 
Complying with cookie requirements under the ePrivacy Directive and the GDPR 

Reliance on information posted:

While we use reasonable endeavours to provide up to date and relevant materials, the materials posted on our site are not intended to amount to advice on which reliance should be placed. They may not reflect recent changes in the law and are not intended to constitute a definitive or complete statement of the law. You may use them to stay up to date with legal developments but you should not use them for transactions or legal advice and you should carry out your own research. We therefore disclaim all liability and responsibility arising from any reliance placed on such materials by any visitor to our site, or by anyone who may be informed of any of its contents.

Filed under

Topics

Laws