One of the first questions which organisations involved in processing personal data (‘controllers’) should ask themselves before undertaking the processing is “What is my reason or justification for processing this personal data?” This is of key importance because any processing of personal data is only lawful where it has what is known as a ‘legal basis’. Article 6 of the General Data Protection Regulation (GDPR) sets out what these potential legal bases are, namely: consent; contract; legal obligation; vital interests; public task; or legitimate interests.

All controllers need to determine which legal basis they are relying on in order to ensure that any processing they undertake is lawful. There is no hierarchy or preferred option within this list, instead each instance of processing should be based on the legal basis which is most appropriate in the specific circumstances.

Controllers should be aware that there may be different legal bases applicable where the same personal data are processed for more than one purpose. Further, it is important to note that ‘consent’, whilst perhaps the most well-known, is not the only legal basis for processing – or even the most appropriate in many cases.

Find out more in our guidance: