What is a lawful basis under the GDPR?

A lawful basis GDPR is the legal ground required to process personal data lawfully under the General Data Protection Regulation, and processing must always be linked to one clearly defined basis. We help you clarify which lawful basis applies to your processing and how this affects data subjects’ rights and your obligations.

How do we choose the right lawful basis GDPR for our processing?

We assess the purpose of the processing, the relationship with the data subjects, any statutory obligations and whether alternatives such as consent, contract, legal obligation or legitimate interests are appropriate. Based on this, we help you select the most suitable lawful basis GDPR for each processing activity and document the assessment in a clear, compliant way.

How can Morling Consulting support us with lawful basis GDPR?

We review your personal data processing, recommend appropriate lawful bases, and prepare supporting documentation such as legitimate interests assessments and updates to privacy notices, procedures and contracts. Our support ensures that your lawful basis GDPR strategy is robust, practical and aligned with your organisation’s risk profile and legal context.

Lawful basis GDPR

Our data protection lawyers assess lawful basis and document what makes the processing lawful

CONTACT US

The six lawful bases in the GDPR

A lawful basis is required for the processing of personal data for the processing to be lawful. The lawful basis must be determined by the company responsible for the processing (the controller) before the processing begins. It is about having a valid reason or legal basis for each specific processing activity. The GDPR sets out six different lawful bases: consent, contract, legal obligation, protection of vital interests, task carried out in the public interest or exercise of official authority, and legitimate interests.

A specific processing activity may fall within one or more of the lawful bases. However, each processing operation must be tied to one of these bases to be lawful; that is, even if the processing could fit within several of the GDPR legal bases, the controller must choose one of them.

The choice of lawful basis affects which rights the data subjects (for example, the controller’s customers) have and which obligations rest on the controller. It is therefore important to analyse and document carefully which lawful basis GDPR is used for each specific processing operation. Without a lawful basis, the processing of personal data is unlawful under the GDPR.

GDPR legal bases: In this text, we explain the six lawful bases. Morling Consulting assesses which legal basis may be relevant for a given processing activity and what the effect of the chosen lawful basis is.

Workflow for selecting a legal basis

We identify which personal data processing takes place and which systems and processes it sits within, so each activity can be linked to the correct legal basis. The result is a clear description that makes the assessment efficient and traceable.
For each processing activity, we compile what drives the need for the processing and which requirements affect the choice of basis—for example contractual relationships, statutory obligations, or other factors. This provides decision support that reduces the risk of unclear or hard-to-justify choices.
We assess which bases apply and identify the basis that best matches each processing activity. At the same time, we clarify which rights become relevant based on the selected legal basis.
We prepare wording and supporting material that can be added to the record of processing activities, so the choice can be explained if questions arise or during an audit. The focus is on the rationale for the selected basis and what needs to be followed up over time.
We set a routine for when the legal basis needs to be reassessed due to new purposes, changed processes, or new recipients, so the basis remains robust. This makes it easier to manage updates without creating gaps in documentation or in the information provided to data subjects.

Top-down view of a tidy workspace with a laptop, notebook, and two suited hands framing a blank sheet of paper to signal scope and clear objectives for legal counsel.

We identify which personal data processing takes place and which systems and processes it sits within, so each activity can be linked to the correct legal basis. The result is a clear description that makes the assessment efficient and traceable.

Close-up of a whiteboard with simple arrows and neutral markers representing data flows, as legal counsel places a marker.

For each processing activity, we compile what drives the need for the processing and which requirements affect the choice of basis—for example contractual relationships, statutory obligations, or other factors. This provides decision support that reduces the risk of unclear or hard-to-justify choices.

Calm meeting table with three neutral document stacks and a pen indicating prioritization; two gender-neutral legal counsel in the background with simplified, faceless features.

We assess which bases apply and identify the basis that best matches each processing activity. At the same time, we clarify which rights become relevant based on the selected legal basis.

Legal counsel reviewing a tabbed binder beside an open laptop and a checked box on a blank form, signaling implementation and documentation.

We prepare wording and supporting material that can be added to the record of processing activities, so the choice can be explained if questions arise or during an audit. The focus is on the rationale for the selected basis and what needs to be followed up over time.

Legal counsel places a neutral token on a stack of folders with a blank calendar in the background, symbolising governance and recurring follow-up.

We set a routine for when the legal basis needs to be reassessed due to new purposes, changed processes, or new recipients, so the basis remains robust. This makes it easier to manage updates without creating gaps in documentation or in the information provided to data subjects.

Choose a lawful basis

When interpretation is difficult, it may be the overall structure of the current decisions and set-up that determines what is reasonable and sustainable. Anchor the work in documentation and practical controls so decisions can be defended over time. Click through to strengthen the supporting basis around contracts, records and storage.

Privacy Counsel

Data Protection Officer

Data processing agreement

Data retention

Business professional standing at a crossroads in front of a signpost, symbolising choosing the correct lawful basis GDPR for data processing decisions.

Choosing the lawful basis GDPR

When an organisation selects a lawful basis for processing personal data, it is important to make a careful assessment. The choice affects both rights and obligations, and it is not always straightforward to change the basis afterwards. Key factors to consider include:

Purpose of the processing: The processing must always have a clear and specific purpose.
Necessity: Choose the legal basis GDPR that best corresponds to why the personal data needs to be processed — if several could apply.
Rights of data subjects: Consider the rights that follow from each GDPR legal basis, for example the right to withdraw consent or to object to processing.
Documentation: There must be clear documentation of which legal basis GDPR has been chosen and why.
Future needs: Assess whether the chosen basis is sustainable over time, or whether changed circumstances might affect its validity.

By analysing these factors, organisations reduce compliance risks and strengthen the protection of data subjects’ rights.

Consent as a lawful basis

Consent as a lawful basis GDPR means that a person has freely, specifically, informedly and unambiguously given their approval to the processing of their personal data for one or more specified purposes. Once consent has been given, it must be as easy to withdraw it as it was to give it, and the person must be informed of this right before consent is obtained.

Consent must be an affirmative act and cannot be presumed through silence or inactivity. It is the controller’s responsibility to demonstrate that valid consent has been obtained.

Contract as a lawful basis

Contract is a lawful basis under the GDPR and means that processing of personal data is permitted when necessary to perform a contract to which the data subject is party. Contract as a legal basis also covers pre-contractual measures taken prior to entering into a contract when those measures are taken at the request of the data subject with a view to entering into a contract.

For example, a company may process a customer’s address to deliver goods ordered under a sales contract. This basis is common for transactions, employment relationships and service delivery where personal data processing is required to fulfil contractual obligations.

Legal obligation as a lawful basis

The controller may be under a legal obligation requiring the processing of personal data. This means the lawful basis of legal obligation applies to the extent the processing is necessary to comply with a duty arising from law, regulation or another legal requirement.

For example, an organisation may process personal data to meet bookkeeping obligations under accounting legislation. This basis applies where the controller is legally obliged to carry out the processing, and it cannot be used for voluntary undertakings. It must therefore be established how far the legal obligation extends; if this is unclear, another GDPR legal basis may need to be considered.

Protection of vital interests as a lawful basis

Personal data may be processed if necessary to protect the vital interests of the data subject or another person, particularly where the person is physically or legally unable to give consent. The lawful basis is then protection of vital interests, which is primarily relevant in emergencies — for example, where a person is unconscious and needs urgent medical care. Other legal bases should be considered before relying on protection of vital interests.

Public interest or exercise of official authority as a lawful basis

This lawful basis means processing is permitted when necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. This applies primarily to public authorities but can also include private actors performing tasks in the public interest.

The processing must be supported by law, other legislation, a collective agreement or a decision made under statutory authority. An example would be processing of personal data in education, healthcare or other public services.

Legitimate interests as a lawful basis

Legitimate interests as a legal basis means an organisation may process personal data where its legitimate interest outweighs the data subject’s interests in privacy. The organisation must carry out a careful assessment balancing its legitimate interests against the individual’s rights and freedoms. Legitimate interests as a lawful basis differs from the other bases in that the controller must itself identify and weigh its own legitimate interest against the data subject’s interests.

Legitimate interests may, for example, be used for direct marketing, noting that the data subject has a right to object to receiving direct marketing. The balancing test must be documented, and the processing must be necessary to achieve the legitimate interest. Under any GDPR legal basis, the organisation must also ensure transparency and data minimisation.

Support with the lawful basis GDPR

At Morling Consulting, we help companies with the GDPR, for example assessing the applicable legal basis. We support organisations with GDPR compliance and can assist with one-off engagements, projects or longer-term arrangements across Europe. We can help identify the appropriate legal basis GDPR for each processing activity and ensure the rationale is recorded.

Business professional in a suit reviewing a legal document outlining Lawful basis GDPR requirements for data processing.

A lawful basis is the legal ground required to process personal data lawfully under the General Data Protection Regulation (GDPR). Processing must always take place under one of the six lawful bases set out in the GDPR; otherwise the processing is unlawful.

Consent.
Contract.
Legal obligation.
Protection of vital interests.
Task carried out in the public interest or exercise of official authority.
Legitimate interests.

Yes. Without a lawful basis, processing is unlawful. The controller must have identified and documented a valid legal basis GDPR before personal data may be processed.

It depends on the purpose of the processing. You should consider:

What the purpose of the processing is.
Who the data subject is.
The relationship the company or organisation has with the data subject.
Whether there are statutory requirements to follow.
Whether consent is practical and legally appropriate.

The choice must be documented because it affects both obligations and data subjects’ rights. Data subjects must also be informed of the lawful bases applied and the rights associated with them, for example in a privacy notice.

Legitimate interests is appropriate when:

There is a clear, legitimate interest on the part of the controller.
The processing is necessary to achieve that legitimate interest.
The data subject’s rights and freedoms do not outweigh it.
Examples include certain types of marketing or fraud prevention.

Yes. Under the accountability principle in the GDPR, every processing operation must be justifiable and documented. The documentation must show which GDPR legal basis has been chosen and how the assessment was carried out (particularly for legitimate interests).

We offer:

Review and analysis of your personal data processing.
Advice on selecting and applying a lawful basis.
Support with documentation, for example legitimate interests assessments.
Help to adapt procedures, policies and contracts to the GDPR.

If an organisation processes personal data without a valid lawful basis, it breaches the GDPR. This can lead to:

Administrative fines.
Liability for damages towards data subjects.
Damage to trust and brand.
The Data Protection Agency issuing a reprimand or an order to stop the processing in question.

No. Each processing operation must be tied to a single lawful basis. It is not permitted to “back up” the same processing with multiple bases. However, different bases may apply to different parts of an organisation’s processing activities.

Consent should be avoided when:

There is an imbalance in the relationship, for example between employer and employee.
It is not practically possible to offer a genuinely free choice.
It is difficult to manage withdrawal in practice.

In these cases, it is better to consider other bases such as contract, legal obligation or legitimate interests.

For example, Morling Consulting may:

Analyse which lawful bases are suitable for specific processing within an organisation.
Prepare documentation for legitimate interests assessments.
Support the development of internal guidelines, templates and information for data subjects.
Assist with reviews ahead of new projects, systems or collaborations involving personal data.

Our advice is always tailored to your organisation’s needs, risk profile and legal context.

Contact

Felix Morling

Speak to a GDPR lawyer

Do you need to assess the lawful basis for a processing activity? Contact us to discuss

"*" indicates required fields