GDPR Legal Bases Explained: The Six Grounds for Processing Personal Data

Under the GDPR, every processing operation involving personal data must be grounded in one of six legal bases. Choosing the correct legal basis is not a formality -- it determines what obligations the organization faces and what rights individuals can exercise.

The Six Legal Bases

Consent: The individual has given clear, affirmative agreement to their data being processed for a specific purpose. Consent must be freely given, specific, informed, and unambiguous. It can be withdrawn at any time.

Contractual necessity: Processing is necessary to perform a contract with the individual or to take pre-contractual steps at their request. This only covers processing that is genuinely necessary for the contract, not everything tangentially related.

Legal obligation: Processing is required to comply with a legal obligation that applies to the organization. This does not include contractual obligations but refers to requirements imposed by law.

Vital interests: Processing is necessary to protect someone's life. This is a narrow basis reserved for emergency situations.

Public interest: Processing is necessary for performing a task in the public interest or exercising official authority. This primarily applies to public bodies.

Legitimate interest: Processing is necessary for the organization's legitimate interests, provided those interests are not overridden by the individual's rights and freedoms. This requires a documented balancing test.

Choosing the Right Basis

The choice of legal basis has practical consequences. For instance, relying on consent gives individuals the right to withdraw it, while relying on legitimate interest gives individuals the right to object. Organizations cannot simply choose whichever basis is most convenient -- the basis must genuinely apply to the processing in question.