Legal

Legal Basis

The lawful ground under which personal data may be processed — the GDPR defines six possible bases.

A legal basis (also called lawful basis) is the legal justification for processing personal data. Under the GDPR, every processing activity must have one of six legal bases.

The Six Legal Bases (Article 6(1))

BasisWhen It Applies
(a) ConsentThe data subject has given clear, affirmative agreement
(b) ContractProcessing is necessary to perform a contract with the data subject
(c) Legal obligationProcessing is necessary to comply with the law
(d) Vital interestsProcessing is necessary to protect someone's life
(e) Public taskProcessing is necessary for a task in the public interest
(f) Legitimate interestProcessing is necessary for a legitimate interest that doesn't override the data subject's rights

Choosing the Right Basis

  • The legal basis must be determined before processing begins
  • It must be documented and communicated in the privacy notice
  • Changing the legal basis after the fact is generally not permitted

Related Terms

ConsentPrivacy

A freely given, specific, informed, and unambiguous indication of agreement to data processing.

Legitimate InterestPrivacy

A legal basis for processing data when the controller's interest outweighs the data subject's rights.

GDPRLegal

The General Data Protection Regulation — the EU's comprehensive data protection law, effective since May 2018.

Privacy NoticeLegal

A document informing individuals about how their personal data is collected, used, and protected — often used interchangeably with privacy policy.

Legitimate Interest