Library / Glossary

Lawful Basis

One of six legal grounds under GDPR Article 6 that must apply for any processing of personal data to be lawful.

Under GDPR Article 6, every processing activity needs a lawful basis — one of six. Without one, the processing is unlawful, full stop. The six are:

  1. Consent — the data subject gave specific, informed, unambiguous consent.
  2. Contract — processing is necessary to perform a contract with the data subject (or to take pre-contract steps at their request).
  3. Legal obligation — required by EU or member state law (tax records, employment records, regulatory reporting).
  4. Vital interests — processing is necessary to protect someone's life. Rare; mostly emergency contexts.
  5. Public task — processing is necessary for a task carried out in the public interest or in exercise of official authority. Mostly used by public bodies.
  6. Legitimate interests — necessary for the legitimate interests of the controller or a third party, except where overridden by the data subject's rights and freedoms.

For special categories of personal data (health, biometric, etc.) you also need an Article 9 condition on top of the Article 6 basis.

Choosing one is a decision, not a default

The lawful basis is set at the outset of the processing and cannot be silently swapped later. If you started with consent and the data subject withdraws it, you cannot quietly fall back to legitimate interests for the same processing. (You can, however, have separate processing activities with different bases — the contract basis for delivering a service, and consent for marketing emails about adjacent services, for example.)

How vendors connect

A vendor's role in a processing activity inherits the lawful basis the controller chose. If a vendor is processing data on the controller's behalf for a contract-based activity, the vendor doesn't get a separate lawful basis for the same data. If the vendor also uses the data for its own purposes (improving its product, for example), that's a separate processing activity needing its own lawful basis — and the vendor is the controller of it.

Watching a vendor's privacy policy for new "we may use your data to improve our services" language is one of the most common ways to catch this transition.

Related terms