Under the GDPR you may only process personal data if you have a valid reason: a legal basis. The law defines exactly six. For every processing activity you must know in advance which one applies. Without a basis, the processing is unlawful, however good your intentions.
The six legal bases
Article 6 of the GDPR lists six bases. One must apply before you start:
- Consent: the person freely and clearly said yes, and can withdraw it again.
- Contract: processing is needed to perform a contract, such as delivering an order.
- Legal obligation: a law requires the processing, such as tax records.
- Vital interests: it is necessary to protect someone's life, such as a medical emergency.
- Public task: a government task in the public interest requires it.
- Legitimate interests: you have a compelling interest that outweighs the privacy impact, after a balancing test.
Consent is not always the best choice
Many people think you need consent for everything. That is not true. Consent is actually a weak basis, because it can be withdrawn at any time, after which you must stop.
For a customer order, "contract" makes more sense; for a newsletter, often "legitimate interests" or consent; for payroll, "legal obligation". Choose the basis that genuinely fits, not consent by default.
Legitimate interests: mind the balancing test
The "legitimate interests" basis is flexible but demands a deliberate balance between your interest and the data subject's privacy. Direct marketing to existing customers may qualify; tracking people without their knowledge usually does not.
Record that assessment. If your Data Protection Authority investigates, you must be able to show why your interest prevailed and what measures you took to limit the impact.
How to embed this in your awareness programme
Legal bases are too abstract for most staff; aim your awareness at recognition, not legal detail.
- Mainly train the reflex 'processing needs a reason' in roles that collect data, such as marketing, HR and sales.
- Use a decision aid or one example per basis instead of the legal text.
- Tie it to your policy and record of processing, so theory and practice align.
- Offer depth to officers and process owners via our course catalogue.
Related articles
- What is the GDPR? The basics in plain language
- Recognising personal data: what counts and what doesn't?
FAQ
What is a legal basis under the GDPR?
A legally permitted reason to process personal data. The GDPR defines six (Article 6). At least one must apply to every processing activity, otherwise the processing is unlawful.
Do I always need consent?
No. Consent is only one of the six bases and often not the most practical, because it can be withdrawn. For many activities, contract, legal obligation or legitimate interests fit better.
What are legitimate interests?
A basis where your compelling interest justifies the processing, provided it outweighs the privacy impact. You must perform and document that balancing test and limit the impact as far as possible.
Can I switch legal basis during processing?
That is risky and usually not allowed. You determine the basis up front and are transparent about it. Switching afterwards undermines trust and may be unlawful.
Who checks whether my basis is correct?
Your national Data Protection Authority. They may ask for your justification, so record which basis you chose and why.