Contact us

The six lawful bases for processing personal data

The six lawful bases for processing personal data are set out in 'Article 6' of the GDPR. At least one of these must apply whenever you process personal data:    

  1. Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
     

  2. Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
     

  3. Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
     

  4. Vital interests: the processing is necessary to protect someone’s life.
     

  5. Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
     

  6. Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

 

More information on the bases of Legitimate interests

Legitimate interests is the most flexible lawful basis for processing personal data, but you cannot assume it will always be the most appropriate.

It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.

If you choose to rely on legitimate interests, you are taking on extra responsibility for considering and protecting people’s rights and interests.

There are three elements to the legitimate interests’ basis. It helps to think of this as a three-part test. You need to:

First, identify the legitimate interest(s). Consider:

  • Why do you want to process the data – what are you trying to achieve?
  • Who benefits from the processing? In what way
  • Are there any wider public benefits to the processing?
  • How important are those benefits?
  • What would the impact be if you couldn’t go ahead?
  • Would your use of the data be unethical or unlawful in any way?

Second, apply the necessity test.

Consider:

  • Does this processing actually help to further that interest?
  • Is it a reasonable way to go about it?
  • Is there another less intrusive way to achieve the same result?

Third, do a balancing test. Consider the impact of your processing and whether this overrides the interest you have identified. You might find it helpful to think about the following:

  • What is the nature of your relationship with the individual?
  • Is any of the data particularly sensitive or private?
  • Would people expect you to use their data in this way?
  • Are you happy to explain it to them?
  • Are some people likely to object or find it intrusive?
  • What is the possible impact on the individual?
  • How big an impact might it have on them?
  • Are you processing children’s data?
  • Are any of the individuals vulnerable in any other way?
  • Can you adopt any safeguards to minimise the impact?
  • Can you offer an opt-out?

You then need to make a decision about whether you still think legitimate interests is an appropriate basis. There’s no fool proof formula for the outcome of the balancing test – but you must be confident that your legitimate interests are not overridden by the risks you have identified.

Keep a record of your LIA and the outcome. There is no standard format for this, but it’s important to record your thinking to help show you have proper decision-making processes in place and to justify the outcome. Keep your LIA under review and refresh it if there is a significant change in the purpose, nature or context of the processing.

If you are not sure about the outcome of the balancing test, it may be safer to look for another lawful basis. Legitimate interests will not often be the most appropriate basis for processing which is unexpected or high risk.

The processing must be necessary. If you can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply.

You must balance your interests against the individual’s. If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interests.

Keep a record of your legitimate interests assessment (LIA) to help you demonstrate compliance if required.

You must include details of your legitimate interests in your privacy information.

What else do we need to consider?

You must tell people in your privacy information that you are relying on legitimate interests, and explain what these interests are.

If you want to process the personal data for a new purpose, you may be able to continue processing under legitimate interests as long as your new purpose is compatible with your original purpose. We would still recommend that you conduct a new LIA, as this will help you demonstrate compatibility. If you rely on legitimate interests, the right to data portability does not apply.

If you are relying on legitimate interests for direct marketing, the right to object is absolute and you must stop processing when someone objects. For other purposes, you must stop unless you can show that your legitimate interests are compelling enough to override the individual’s rights. See our guidance on individual rights for more on this.

 

You need to remember that:

  • No single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on your purpose and relationship with the individual.
     

  • Most lawful bases require that processing is ‘necessary’. If you can reasonably achieve the same purpose without the processing, you won’t have a lawful basis.
     

  • You must determine your lawful basis before you begin processing personal data, and you should document it.
     

  • You need to take care to get it right first time - you should not swap to a different lawful basis at a later date without good reason.
     

  • Your privacy notice should include your lawful basis for processing as well as the purposes of the processing. (see our section on privacy notices)
     

  • If your purposes change, you may be able to continue processing under the original lawful basis if your new purpose is compatible with your initial purpose - unless your original lawful basis was consent (see our section on obtaining consent).
     

  • If you are processing special category data you need to identify both a lawful basis for general processing and an additional condition for processing this type of data.