The GDPR establishes six lawful bases organizations must rely on to process personal data. Implementing these standards is non-negotiable, and any misstep exposes your organization to regulatory action and even heavy financial penalties.

‍

Organizations often struggle to meet the strict requirements for establishing a lawful basis, particularly when they must back it with a well-documented and defensible rationale. The challenge grows even more complex when processing special category data, which carries additional requirements.

‍

This guide breaks down the six lawful GDPR bases and provides practical tips for selecting one. We’ll also cover the additional considerations when processing special category data.

‍

What is a lawful basis under the GDPR?

According to Article 6 of the GDPR, a lawful basis is the legal justification an organization must have for processing personal data. Organizations must establish a lawful basis before they commence processing activities, as well as inform the data subjects of the reasoning at the point of data collection.

‍

The GDPR defines six possible lawful bases:

‍

‍

1. Consent of the data subject
2. Contractual requirement
3. Legal obligations
4. Vital interest
5. Public interest task
6. Legitimate interest

‍

{{cta_withimage14="/cta-blocks"}} | GDPR compliance checklist

‍

1. Consent of the data subject

Consent is a lawful basis for processing under GDPR only if it meets strict criteria:

‍

• Freely given: The individual consents to processing voluntarily and without any pressure
• Informed: The data subject understands the purpose, scope, and implications
• Unambiguous: The consent is provided with a clear action, such as ticking a box or signing a digital form
• Specific: The consent is valid only for a specified purpose and cannot be bundled with unrelated processing 

‍

If processing is necessary to provide a service, consent is not valid and the correct basis would be contract.

‍

Data subjects must also be able to withdraw consent as easily as they provide it. If you’re potentially collecting data from subjects under the age of 16, you must establish measures to obtain parental or guardian authorization for processing. Additionally, consent requests must be kept separate from the terms of service. The related privacy notice must be presented in plain and accessible language.

‍

A common misinterpretation includes using consent as a lawful basis to justify business needs, such as targeted advertising. Regulators have also flagged making consent a mandatory part of service when it’s not necessary.

‍

Real-world scenarios:

‍

‍

2. Contractual requirement

Processing personal information under contractual requirements is an applicable lawful basis if it’s necessary to fulfill service obligations. Typical examples include services that use customer details to deliver goods to a home address or need payment information to set up a recurring subscription.

‍

Before you can start processing data on this basis, you must assess whether the data is strictly necessary to perform the contract. If your assessment shows that some part of the data falls outside the contract scope, you must establish a separate legal basis. For example, using the collected data for targeted marketing isn’t necessary to fulfill a contract, so you’d have to base it on either consent or legitimate interest instead.

‍

Real-world scenarios:

‍

‍

3. Legal obligations

A legal obligation can be used as a lawful basis if your organization’s processing activities are required by EU or EU member state legislation. Like in the case of contractual requirements, you must assess to confirm that the processing activity helps comply with the law.

‍

There are four conditions for relying on this basis:

‍

• The legal obligation must be explicitly mentioned in the applicable law
• The law establishes a clear and ongoing obligation to process personal data
• The law defines the purpose of processing
• The obligation is imposed on the controller (not the data subjects)

‍

The legislation does not need to list the processing activities. The burden of proof is eventually on the organization—it must be able to reference the specific legal provision or statement within the law that justifies the activity.

‍

Real-world scenarios:

‍

‍

{{cta_withimage11="/cta-blocks"}} | The US data privacy checklist

‍

4. Vital interest

Vital interest is reserved for situations where organizations must process data to protect an individual’s life or to mitigate a serious threat. It’s commonly used by hospitals treating unconscious patients or for finding missing persons, since those data subjects are not in a position to give their consent.

‍

This basis can apply to the vital interests of the data subject and another individual. Under Article 9 of the GDPR, vital interests can be used to process special categories of data, such as health information in critical situations.

‍

Vital interest mostly applies in narrow, emergency-driven scenarios. Always consider if a different legal basis for processing could be more appropriate.

‍

Real-world scenarios:

‍

‍

5. Public interest task

This basis is primarily used by controllers that process data to carry out tasks in the public interest or under official authority. These controllers include:

‍

• Government bodies
• Regulators and oversight authorities
• Public education and research institutions

‍

Private controllers can also rely on this basis while performing public interest tasks, such as operating utilities. 

‍

Regardless of the controller, the activity must be grounded in EU, national, or state law. It must address a proportionate objective that benefits the public.

‍

For processing criminal data, stricter conditions apply: 

‍

1. A law must specifically permit the processing
2. A government authority must oversee the activities

‍

‍

{{cta_withimage11="/cta-blocks"}} | The US data privacy checklist

‍

6. Legitimate interest

Legitimate interest is a highly flexible legal basis, typically used when others aren’t applicable. This flexibility comes with stricter requirements for controllers: organizations must ensure their processing needs don't override the rights of the data subjects.

‍

To use legitimate interest as your basis, conduct a balancing test to consider the data subject's expectations and whether processing negatively impacts their interests, rights, or freedoms.

‍

“

After all, GDPR exists to safeguard people’s rights and freedoms. Conducting a balancing test helps you confirm whether your business interests are appropriate and don’t cross the line into causing harm.”

Evan Rowse

GRC Subject Matter Expert, Vanta

|

LinkedIn

‍

A common issue observed in GDPR compliance is the overreliance on legitimate interest as a blanket justification for all processing activities. Keep in mind that regulators, auditors, and data subjects expect proof. As such, it's important to document your balancing test results to ensure accountability during audits or regulatory reviews.

‍

Real-world scenarios:

‍

‍

How to decide on an applicable lawful basis

It’s possible that your processing activities map to several lawful bases. However, you can only establish one basis for a specific processing activity. To identify the appropriate basis, look into:

‍

• The purpose of processing: Some purposes are directly linked to particular lawful bases, such as fulfilling a contract or meeting legal obligations
• Expectations and relationship with data subjects: Evaluate whether the data subjects would reasonably expect this kind of processing, given your relationship with them
• Impact on data subjects: Assess the potential impact processing may have on individuals, considering their position and possible concerns that lead to objections
• Control and responsibility: Determine how much control over the processing rests with your organization versus the data subjects

‍

Once you’ve established a legal basis, don’t change it unless your processing purpose changes and a later evaluation shows that it’s no longer appropriate for the processing activity. If this happens, carefully document the change and inform the data subjects and supervisory authority to align with GDPR’s transparency principle.

‍

Processing special categories of data

Special category data includes race, ethnicity, and biometric and genetic data. Due to the highly sensitive nature of this information, you can only process it if specific criteria are met, such as:

‍

• Explicit consent from the data subject for the specified purpose
• The data subject has made the information publicly available
• Processing is in the interest of public health, such as cross-border epidemic threats
• Processing is essential for establishing, exercising, or defending legal claims (or when courts act in their legal role)

‍

The processing of health or social care data can only be performed by an individual who is subject to professional secrecy, such as a doctor or a nurse.

‍

The GDPR only sets baseline conditions for handling special categories of data. Member States may impose additional requirements through national laws. As a best practice, review country-specific requirements to avoid potential non-compliance penalties.

‍

{{cta_withimage14="/cta-blocks"}} | GDPR compliance checklist

‍

Best practices for establishing a lawful basis

Establishing a lawful basis in alignment with the GDPR requires careful planning and oversight. You can streamline the process and reduce risk by following these best practices:

‍

• Avoid retroactive justification: Define the scope and purpose of your processing activities before starting them. That way, you can establish a lawful basis that aligns with your processes and long-term goals.
• Continuously monitor processing activities: Review your processing activities regularly to detect potential shifts that could trigger a change in lawful basis.
• Maintain thorough documentation with reasoning: Document the rationale behind your processing activities and any subsequent changes to facilitate audits and reviews.
• Create clear data subject rights workflows: Design repeatable processes that help your team identify, respond to, and meet any data subject requests quickly.

‍

Streamline your GDPR compliance strategy with Vanta

Manually performing GDPR compliance workflows requires significant resources and can be a time drain for smaller teams. Operationalizing the requirements across processes and systems is also challenging and increases the risk of inefficiencies. You can mitigate these risks by leveraging Vanta’s dedicated GDPR solution, which can automate numerous compliance tasks.

‍

Vanta is a trust management platform that helps organizations with step-by-step guidance on GDPR compliance. With Vanta’s built-in workflows, integrations, and resources, you can eliminate hours worth of effort and significantly reduce long-term compliance costs.

‍

Whether you’re a data controller, processor, or both, Vanta can support any role with actionable workflows. Its GDPR product comes with features built for efficiency, such as:

‍

• Automated evidence collection powered by 400+ integrations
• Real-time control monitoring with instant reports
• Inventory management in a unified dashboard
• Pre-built policy templates and a customization tool
• GDPR and security awareness training—and more

‍

Schedule a custom demo to experience Vanta’s GDPR solution first-hand.

‍

{{cta_simple19="/cta-blocks"}} | GDPR product page

‍

‍A note from Vanta: Vanta is not a law firm, and this article does not constitute or contain legal advice or create an attorney-client relationship. When determining your obligations and compliance with respect to relevant laws and regulations, you should consult a licensed attorney.