GDPR

GDPR Lawful Bases for Processing Personal Data

Lawful Bases for Processing (GDPR Explained for Businesses & Users)

The GDPR requires every organisation to have a lawful basis before collecting, using, or storing personal data. This requirement is not optional; it is the legal foundation that determines whether your processing activities are allowed under EU law. Choosing the correct lawful basis is essential for regulatory compliance, data minimisation, transparency, and user trust.

This page breaks down each lawful basis in practical terms:
What it means, when to use it, how businesses benefit, how users benefit, common mistakes to avoid, and real examples.

Why Lawful Bases Matter

Every data processing activity tracking analytics, sending emails, storing customer records, running ads, operating a login portal must be tied to one lawful basis.

For businesses, lawful bases:

  • Provide legal defensibility during audits or complaints
  • Reduce risk of unlawful processing
  • Guide policies, retention schedules, and documentation
  • Improve internal decision-making and accountability
  • Strengthen trust between the business and customers

For users, lawful bases:

  • Ensure their data is collected fairly
  • Limit processing to what is truly necessary
  • Prevent hidden or abusive data practices
  • Give them enforceable rights and protections
  • Provide transparency about why data is collected and how it’s used

If you do not choose the correct lawful basis and document it you risk GDPR violations, fines, and forced deletion of data.

The 6 Lawful Bases for Processing

Below is a clear breakdown of each lawful basis, with guidance tailored to typical websites, SaaS platforms, agencies, SMEs, and service businesses.

1. Consent

Consent is valid only when it is:
freely given, specific, informed, unambiguous, and revocable.

When businesses should use consent

  • Non-essential cookies (analytics, ads, tracking)
  • Email marketing not covered by soft opt-in rules
  • Volveys like this:truction.
  • Voluntary surveys, newsletters, webinars
  • Downloadable resources exchanged for data
  • Cross-site or multi-device tracking
  • Profiling or behavioural advertising

Benefits for businesses

  • Builds genuine user trust
  • Provides strong legal cover for high-risk processing
  • Encourages ethical transparency
  • Allows richer marketing data—when done right

Benefits for users

  • Complete control over what is tracked
  • Can refuse without negative consequences
  • Can withdraw any time
  • Protected from hidden tracking

Common mistakes

  • Pre-ticked boxes
  • “By using this site you agree” banners
  • Bundled consents
  • No withdraw option

2. Contract

Processing is lawful if it is necessary to perform a contract or take steps at the user’s request before entering one.

Use this basis when:

  • SaaS signup or onboarding
  • Requesting quotes or estimates
  • Purchasing goods or services
  • Managing bookings, billing, scheduling
  • Providing login access or accounts
  • Delivering digital or physical products

Benefits for businesses

  • Clear justification for essential operations
  • Smooth onboarding
  • Strong legal foundation
  • Reduces need for repeated consent

Benefits for users

  • Data used only to deliver requested services
  • Processing stays limited to what’s required
  • Transparent and predictable

Common mistakes

  • Using contract to justify marketing
  • Collecting unnecessary data
  • Applying contract basis to optional features

3. Legal Obligation

This applies when you must process data to comply with EU or Member State law.

When businesses should use it:

  • Tax reporting and invoicing
  • Maintaining financial records
  • Employee payroll compliance
  • KYC / AML checks
  • Responding to legal requests

Benefits for businesses

  • Clear legal justification
  • Predictable obligations
  • Strong documentation trail
  • Reduces compliance risk

Benefits for users

  • Ensures responsible handling of data
  • Strong accountability
  • Prevents unlawful processing

Common mistakes

  • Claiming legal obligation for everything
  • Storing more than required
  • Not documenting the specific law involved

4. Vital Interests

This basis is rare and applies mainly in emergency situations.

When this applies:

  • Protecting someone’s life
  • Medical emergencies
  • Humanitarian responses
  • Critical safety situations

Benefits for businesses

  • Allows urgent action during emergencies
  • Removes procedural delays

Benefits for users

  • Ensures urgent care can be provided
  • Protects vulnerable individuals

Common mistakes

  • Using it for normal health services
  • Applying it outside true emergencies

5. Public Task

This applies to public authorities or entities performing official tasks under EU or national law.
Private businesses rarely use this basis.

6. Legitimate Interests

A flexible but commonly misused basis. It applies when the organisation’s interests are legitimate, processing is necessary, and user rights are not overridden.

Use this basis when:

  • Operating essential website functionality
  • Fraud prevention
  • Network and information security
  • Non-invasive internal analytics
  • Soft opt-in marketing to existing customers
  • Server-side or anonymised analytics

Benefits for businesses

  • No consent required
  • Operational flexibility
  • Supports security and optimisation
  • Suitable for backend processes

Benefits for users

  • Fewer annoying consent banners
  • Better website functionality
  • Enhanced security

Common mistakes

  • Using it for ads or behavioural tracking
  • Skipping the balancing test
  • No documentation
  • Lack of transparency in the privacy notice

How to Choose the Correct Lawful Basis

1. Is the processing optional or for marketing/analytics?
→ Use Consent.

2. Is it essential for services the user requested?
→ Use Contract.

3. Is it required by law?
→ Use Legal Obligation.

4. Is it a life-or-death situation?
→ Use Vital Interests.

5. Public authority or official task?
→ Use Public Task.

6. Legitimate business need without harming user rights?
→ Use Legitimate Interests.

Comparison Table: Lawful Bases

Lawful Basis When to Use Needs Consent? User Rights Impact Good For Not Good For
Consent Optional, marketing, tracking Yes Strong Ads, analytics, newsletters Essential operations
Contract Delivering requested services No Moderate Accounts, purchases Marketing
Legal Obligation Required by law No Limited Tax, payroll Marketing, analytics
Vital Interests Emergencies No Low Life-saving events Commercial services
Public Task Government functions No Varies Official authority Private businesses
Legitimate Interests Operational needs No Medium Security, optimisation Behavioural ads

How This Helps Businesses

Implementing the correct lawful basis improves operational clarity and reduces regulatory risk. It also helps teams:

  • Build better policies
  • Document processing activities
  • Design compliant user journeys
  • Reduce reliance on excessive consent banners
  • Improve customer trust and conversion rates

How This Helps Users

Users benefit because lawful bases ensure:

  • Fair data handling
  • No hidden tracking
  • Proper rights management
  • Business accountability
  • Collection only when necessary

What Your Privacy Notice Must Include

Every privacy notice must clearly state:

  • The lawful basis for each processing activity
  • Why that basis is appropriate
  • What data is collected
  • Retention periods
  • Data sharing practices
  • How to withdraw consent or object
  • How to exercise user rights

Implementing Lawful Bases in Your Business

To operationalise lawful bases effectively, businesses should:

  • Map all data flows
  • Assign a lawful basis to each processing activity
  • Document justification
  • Update the privacy notice
  • Design user interfaces that reflect the basis
  • Maintain internal audit records
  • Review at least annually

Without this, your organisation will not be GDPR-compliant.