On the six lawful bases: When may you process personal data?

View as Markdown
2 mins read • Legal Writer • GDPR • 30 July 2025
  1. Common mistakes when selecting a lawful basis for processing personal data

Processing personal data requires support under one of the six lawful bases GDPR. A common mistake among companies is selecting the wrong basis — or several at once — which can result in misapplication of the GDPR. Below is an overview of typical misjudgements when identifying the appropriate lawful basis for processing personal data.

Common mistakes when selecting a lawful basis for processing personal data

A frequent error is to use consent as the default solution, perhaps because it seems straightforward when uncertain which basis applies. Consent must be voluntary, informed and capable of being withdrawn. In employment relationships or other contexts with a power imbalance, consent will rarely be considered voluntary. This reflects the consent requirements GDPR: organisations must ensure informed consent GDPR and that consent is genuinely freely given consent GDPR. Individuals must be able to exercise withdrawal of consent GDPR at any time.

Another mistake is to conflate contract and legitimate interests. Processing that is necessary for the performance of a contract requires no separate balancing test; the GDPR has, in effect, already undertaken that assessment. If the processing goes beyond what is necessary to perform the contract, a different lawful basis is required — often legitimate interests, provided a balancing test supports it. Selecting the appropriate legal grounds for processing personal data is therefore a matter of scope and necessity, not preference.

A third common misjudgement is to invoke legal obligation without a clear statutory requirement. This basis applies only where a Swedish law or other statutory instrument requires specific processing of personal data. It is not sufficient that legislation might be interpreted as covering a type of processing; the statutory requirement must be sufficiently clear and specific.

The GDPR requires each processing activity to have a clear, documented lawful basis. This means the basis must not only exist — it must be demonstrable. Retrospectively switching lawful basis, or citing “multiple bases” for the same processing, is not permitted. Anchor your assessment in one of the six lawful bases GDPR and document the rationale in a manner proportionate to risk and scale.

At Morling Consulting, our GDPR lawyers help companies ensure the correct selection and documentation of the lawful basis for processing personal data — from policy through to practical implementation.

Material Design illustration showing three legal professionals in front of an AI chip, playground and surveillance symbols, representing IMY’s focus areas public AI, children’s privacy and law enforcement.

5 February 2026

IMY’s priorities for 2026 – what do they mean for your organisation?
Read more
Illustration of a startup GDPR compliance briefing, with team members reviewing a security checklist and data protection policy on a screen.

4 February 2026

GDPR in your start-up – how to build assurance and compliance
Read more
Anonymous lawyer in a suit presses a digital whistleblowing button inside a protective sphere, symbolising secure whistleblowing systems, employee privacy and internal controls under the AMLR.

3 February 2026

AMLR Articles 13–15: employee integrity, whistleblowing and internal control
Read more