What does lawful basis mean under the GDPR?

Lawful basis is the legal ground required under GDPR Article 6 for processing personal data to be permitted. Each processing activity must be linked to one lawful basis.

What lawful bases exist under GDPR Article 6?

There are six lawful bases: consent, contract, legal obligation, vital interests, public task, and legitimate interests. The appropriate basis depends on the purpose and context of the processing.

When should an organisation reassess its lawful basis?

The lawful basis should be reassessed when the purpose of processing changes, when new systems or projects are introduced, or when the nature of the processing materially changes. Regular reviews help ensure continued GDPR compliance and accurate privacy information.

Lawful basis

Lawful basis is one of the most central principles in GDPR data protection and determines when personal data may be processed under the GDPR.

Glossary
Lawful basis

Explained – what does lawful basis mean?

Lawful basis, also called legal basis, is the juridical ground required for the processing of personal data to be permissible under the General Data Protection Regulation (GDPR), Article 6. Every processing activity must rely on one of the lawful bases: consent, contract, legal obligation, protection of vital interests, task carried out in the public interest, or legitimate interests.

An appointed DPO function (data protection officer) often plays a key role in ensuring that the lawful basis is identified and documented correctly, particularly for sensitive processing or new purposes. Lawful basis is applied in areas such as data protection, processing of personal data and regulatory compliance within GDPR data protection.

When does the question of lawful basis arise?

The question of lawful basis arises when an organisation plans, changes, or reviews how personal data is processed. This may concern anything from customer data in a CRM system to employee personal data in HR processes. The chosen lawful basis governs how the processing may be carried out and what rights data subjects have.

For example, in employment contexts the basis is often contract, whereas legitimate interests may be used for customer communications. For public authorities, performance of a task carried out in the public interest is a common ground.

Data protection officer presenting flowchart of lawful basis for processing under GDPR, showing consent, legal grounds, contracts and documentation of personal data.

Points to consider when determining a lawful basis

When an organisation determines the lawful basis, several practical and legal factors must be considered. Below are central points that should be secured in the work.

Always document the selected lawful basis before the processing starts.
Ensure the purpose of processing is clearly defined and necessary.
Avoid using multiple lawful bases for the same processing without clear justification.
Review regularly whether the chosen lawful basis remains valid, especially if purposes change.
Inform data subjects in the privacy notice which lawful basis is used.
Involve the data protection officer in assessing the lawful basis for new processing.
Consider specific requirements when processing sensitive personal data (special category data) under Article 9 GDPR.

A well-considered approach to lawful basis increases transparency and strengthens trust between the organisation and data subjects.

Lawful basis

Why is the lawful basis important?

The lawful basis provides the legal foundation for all processing of personal data. Without a correctly identified basis, processing is unlawful and may result in interventions by the Data Protection Agency and GDPR administrative fines.

Clearly establishing the lawful basis helps organisations meet the requirements of GDPR accountability under Article 5(2) GDPR. It also ensures that internal processes—such as managing consents or legitimate interests assessments – are more consistent and auditable.

By demonstrating that the lawful basis has been assessed and documented correctly, the organisation strengthens its credibility with customers, employees and partners. It shows respect for individual privacy and supports robust data protection governance and data protection compliance.

Lawful basis is the legal precondition required to process personal data under the GDPR.

There are six lawful bases: consent, contract, legal obligation, protection of vital interests, task carried out in the public interest and legitimate interests. Each processing operation must be based on one of these grounds for processing personal data.

The organisation must analyse the purpose of processing and determine which option best corresponds to that purpose. In some cases, legal advice is required to avoid incorrect choices.

If processing is necessary to perform a contract, rely on the contract basis.
If processing is carried out for the exercise of official authority, rely on the public interest basis.
If no other basis fits, consent may be appropriate.

The lawful basis should be reassessed when the purpose of processing changes or when the organisation introduces new systems.

For new projects that process personal data.
When collected data will be used for new purposes.
For major changes in the business.

If processing takes place without a lawful basis, it is unlawful under the GDPR. This may lead to deletion requirements, sanctions under GDPR and reputational harm. The Data Protection Agency may also initiate regulatory supervision and order the organisation to cease processing.

The data protection officer (DPO) provides advice, reviews documentation and helps ensure that the lawful basis is correctly established. The DPO also acts as a contact point for the Data Protection Agency and supports GDPR data protection governance in line with accountability requirements.