Skip to content
Back to blog

Legal Basis for Data Processing under GDPR

5 minute read

Information Security GDPR
Legal Basis for Processing Under GDPR
Last updated: October 01, 2025

There are six legal bases for processing as set out in Article 6 of the General Data Protection Regulation (GDPR). At least one of these must apply whenever you process personal data.

While the Information Commissioner's Office (ICO) has made it clear you must have a valid lawful basis to process personal data, many organisations assume it's dependent on obtaining consent. Consent is just one of a number of sex legitimate reasons for processing personal data. Which basis you deem to be the most appropriate will depend on your purpose and relationship with the individual.

See our Data Protection Training Package

Key takeaways

  • The first three legal bases for data processing under the GDPR are consent, performance of a contract and legal reasons.
  • The last three are protecting the data subject's vital interests, performing a task in the public interest and legitimate interest.
  • At least one of the six legal bases must apply whenever you process people’s personal information.
  • If you have doubts about the legal justification for processing data, ask your data protection officer (DPO).

Key conditions to ensure data processing is legal

1. Consent

The data subject has provided clear consent to the processing activity. GDPR states it must be freely-given, specific, informed and unambiguous – provided by a statement or a clear, affirmative action. Data subjects must be able to refuse or withdraw consent without penalty.

2. Performance of a contract

GDPR Recital 40 says "the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract" is a legitimate basis of lawful processing. 

3. Legal obligations

Personal data processing is necessary for legal reasons, for example, tax reporting or employee record maintenance. 

Recital 45 states that "Where processing is carried out in accordance with a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, the processing should have a basis in Union or Member State law".

4. Protecting the data subject's vital interests

This only applies if it's necessary to process personal data to protect someone's life, and is. Clarified in Recital 46 of the GDPR: "Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis". For example, this applies if someone's medical history is made available to treat them in A&E after a life-threatening road accident. 

5. Performing a task in the public interest

As per Article 6, data can be processed "for the performance of a task carried out in the public interest or in the exercise of official authority". 

You don't need a specific statutory power to process personal data, but you must have a clear and documented basis in law. 

The Data Protection Act (DPA ) 2018 clarifies that this includes processing necessary for:

  1. The administration of justice
  2. Exercising a function
    1. of the House of Parliament
    2. conferred on a person by an enactment or rule of law
    3. of the Crown, a Minister of the Crown or a government department
  3. An activity that supports or promotes democratic engagement.

Data subjects' rights to erasure and data portability do not apply if you are processing on this basis. However, they do have a right to object.

6. Legitimate interest

Legitimate interest is the most flexible of the six lawful bases for data processing. It can potentially be applied to any type of processing carried out for any reasonable purpose.

Article 6(1f) states that processing is lawful if 'processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject'.

This leaves a lot of room for interpretation and the definition is unhelpfully vague. The burden is on you to determine if your interests in processing personal data really are legitimate.

These interests must be balanced against those of the data subject(s). The GDPR mentions processing client or employee data, marketing, fraud prevention, intra-group transfers or IT security as potential legitimate interests, but this list is not exhaustive.

The important thing to consider is that ‘legitimate interests’ is most likely to be appropriate if you are using personal data in ways that the data subject would deem reasonable and where the processing has a minimal impact on their privacy.

Remember that if you use legitimate interest as your basis for processing personal information as part of your marketing activities, the data subjects’ right to object is absolute: you must stop processing if anyone objects.

Where to get advice on data processing legality

If you have doubts regarding the legal justification for processing data,  it is best to ask your data protection officer (DPO).This could be a stand-alone role or someone with expertise in this area. If you don't have one, refer to Article 37(1) of the GDPR. 

It goes without saying that all staff need GDPR awareness training, and those handling a lot of information (particularly sensitive data) will need a more in-depth understanding.

To reassure those who are providing you with data, create privacy notice and data processing statement web pages. Additionally make website cookie requests simple and clear.

Data processing under the GDPR: FAQs

Why does a legal basis for data processing under GDPR matter?

It’s a requirement to process personal data lawfully, ensuring compliance with related principles and laws and that people’s rights are respected.

What is a data subject in relation to the GDPR?

The identified or identifiable living individual (“natural person”) whose personal data is collected/processed/stored. An example of a data subject is a customer or an employee.

What is a data controller?

Any person/company/body/public authority that determines the why and how of processing personal data. Examples include an employer and a hospital.

Want to learn more about GDPR?

Our Essentials Library contains e-learning content designed to help organisations meet fundamental compliance requirements. If you are looking for focused training, our Data Protection and GDPR Training Package offers a complete solution for your compliance programme. Courses in the libraries include:

We've created a comprehensive GDPR compliance roadmap to help you navigate the compliance landscape. If you would like to access leading insights and compliance tips, you can browse our free resources by topic to find guides, modules, compliance bites and more.

Explore our collection

Related articles

data-security-when-travelling-|-skillcast
Information Security

Data Security when Travelling | Skillcast

3 minute read

Many keep working when travelling on public transport, but what are the risks? We have some tips to keep your data secure even while you are on the move.

Read the article
8-tips-for-protecting-cardholder-data-|-skillcast
Information Security Financial Crime

8 Tips for Protecting Cardholder Data | Skillcast

3 minute read

Cardholder fraud creates a compliance headache. We have some tips on how your business should deal with cardholder data to mitigate the risks.

Read the article
special-category-data-gdpr-best-practices-|-skillcast
Information Security GDPR

Special Category Data GDPR Best Practices | Skillcast

3 minute read

Collecting sensitive personal data has become a necessity for businesses. We explain what special category data is and how to stay GDPR compliant.

Read the article