GDPR Lawful Grounds for Processing

GDPR Lawful Grounds for Processing

“Personal Data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject”. ‘Lawfulness, fairness and transparency’ is one of the fundamental data processing principles in Article 5 of the GDPR

This means that data controllers must have lawful grounds for processing personal data. They need to specify this in their privacy notice. There are 6 lawful grounds for processing personal data listed in GDPR Article 6. We’ve summarised these on a free Lawful Grounds GDPR study poster for your wall. The download link is at the end of this article.


The GDPR imposes a much stricter definition of Consent than the old directive. Article 7 details this definition. The data controller will need to demonstrate that the data subject gave consent for their data to be processed. The controller will have gathered the consent BEFORE the processing began. Where there is an imbalance of power between the individual and the data controller, consent may not be the right choice of lawful grounds. For example, if the controller is a public authority or the individual’s employer

The request for consent should be presented in a way that is “clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language”. 

Consent must be: 

Freely given – Individuals must be able to refuse or withdraw consent. It must be as easy for someone to withdraw their consent as it was to give it. Organisations need to tell individuals about their right to withdraw consent and ensure consent is unbundled, in other words,  kept separate from other terms and conditions. Consent should not be a pre-condition of signing up for a service; 

Specific – Organisations must make clear, the purpose of the processing. In addition, they should collect granular-level consent for each separate processing operation

Informed – Organisations must give the individual all the details of the data processing so they can truly understand how the processing affects them

Unambiguous – Companies must obtain consent through a clear, affirmative action. In other words, pre-ticked boxes or inactivity by the individual do not indicate valid consent

Once a data controller has gained consent, it must then be kept under review. If the purpose of processing changes, the controller should inform the data subject. It may be necessary to obtain further consent

Data controllers should keep an audit trail for consent including if consent has been withdrawn.

Refer to recital 32, 33, 42 and 43 of the GDPR for more details on Consent. Article 9 – Processing of Special Categories of Personal Data outlines details on Explicit Consent.

Performance of a Contract

This can be used as lawful grounds when the “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”.

For example, if the individual is buying a product or service from the data controller, it is necessary for the controller to process the individuals data in order to deliver the product or service

Legal Obligation

If an organisation is obliged by law (of their own country or the EU) to process personal data, it can use this as lawful grounds for the processing. See recital 45 for more.

Vital Interests

This basis generally only applies to life or death situations and should only be used when no other legal basis is available. For example, in this case presented by the UK Information Commissioner’s Office

As this basis will generally relate to health data, refer to Recital 46 and  Article 9 – Processing of Special Categories of Personal Data for further details

Public Interest

Organisations can use this basis when “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”. 

The organisation relying on this legal basis does not have to be a public authority. For example, it could be a private organisation performing a task in the public interest which is laid down by law.

Legitimate Interests

Processing will be lawful if it is “necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of Personal Data, in particular where the data subject is a child”.  

Legitimate Interests shall not apply to processing carried out by public authorities in the performance of their tasks.

Organisations wishing to use Legitimate Interests as the legal basis for data processing must be able to show that:

  • The processing is necessary for the purpose
  • They have balanced the interests of the business against the rights and freedoms of the individual
  • The purpose is a legitimate interest of the controller or third party

If the organisation has an existing relationship with the customer and believes the processing would be reasonably expected by them, they may determine that Legitimate Interests is the appropriate basis for processing. Recitals 47-49 provide more detail and outline some circumstances where Legitimate Interests could be used

Rights of the Individual

A data subject has the right to object to processing of their data. If relying on legitimate interest, the company has the opportunity to justify the legitimacy of the processing before having to erase data.

The right of data portability does not apply if relying on legitimate interests, it only applies when replying on consent or contractual necessity. 

Click the download button to get our free GDPR study poster on the Lawful Bases for Processing.