Lawful basis for processing

At a glance

You must have a valid lawful basis in order to process personal data.

There are six available lawful bases for processing. No single basis is ’better’ or more important than

the others – which basis is most appropriate to use will depend on your purpose and relationship with

the individual.

Most lawful bases require that processing is ‘necessary’. If you can reasonably achieve the same

purpose without the processing, you won’t have a lawful basis.

You must determine your lawful basis before you begin processing, and you should document it.

Take care to get it right first time - you should not swap to a different lawful basis at a later date

without good reason. In particular, you cannot usually swap from consent to a different basis.

Your privacy notice should include your lawful basis for processing as well as the purposes of the

processing.

If your purposes change, you may be able to continue processing under the original lawful basis if

your new purpose is compatible with your initial purpose (unless your original lawful basis was

consent).

If you are processing special category data you need to identify both a lawful basis for general

processing and an additional condition for processing this type of data.

If you are processing criminal conviction data or data about offences you need to identify both a

lawful basis for general processing and an additional condition for processing this type of data.

Checklist

02 August 2018 - 1.0.248

In brief

What’s new?

Why is the lawful basis for processing important?

What are the lawful bases?

When is processing ‘necessary’?

How do we decide which lawful basis applies?

When should we decide on our lawful basis?

What happens if we have a new purpose?

How should we document our lawful basis?

What do we need to tell people?

What about special category data?

What about criminal conviction data?

What's new?

The requirement to have a lawful basis in order to process personal data is not new. It replaces and

mirrors the previous requirement to satisfy one of the ‘conditions for processing’ under the Data

Protection Act 1998 (the 1998 Act). However, the GDPR places more emphasis on being accountable for

and transparent about your lawful basis for processing.

The six lawful bases for processing are broadly similar to the old conditions for processing, although

there are some differences. You now need to review your existing processing, identify the most

appropriate lawful basis, and check that it applies. In many cases it is likely to be the same as your

existing condition for processing.

☐ We have reviewed the purposes of our processing activities, and selected the most

appropriate lawful basis (or bases) for each activity.

☐ We have checked that the processing is necessary for the relevant purpose, and are satisfied

that there is no other reasonable way to achieve that purpose.

☐ We have documented our decision on which lawful basis applies to help us demonstrate

compliance.

☐ We have included information about both the purposes of the processing and the lawful basis

for the processing in our privacy notice.

☐ Where we process special category data, we have also identified a condition for processing

special category data, and have documented this.

☐ Where we process criminal offence data, we have also identified a condition for processing

this data, and have documented this.

02 August 2018 - 1.0.248

The biggest change is for public authorities, who now need to consider the new ‘public task’ basis first

for most of their processing, and have more limited scope to rely on consent or legitimate interests.

You can choose a new lawful basis if you find that your old condition for processing is no longer

appropriate under the GDPR, or decide that a different basis is more appropriate. You should try to get

this right first time. Once the GDPR is in effect, it will be much harder to swap between lawful bases at

will if you find that your original basis was invalid. You will be in breach of the GDPR if you did not

clearly identify the appropriate lawful basis (or bases, if more than one applies) from the start.

The GDPR brings in new accountability and transparency requirements. You should therefore make sure

you clearly document your lawful basis so that you can demonstrate your compliance in line with Articles

5(2) and 24.

You must now inform people upfront about your lawful basis for processing their personal data. You

need therefore to communicate this information to individuals by 25 May 2018, and ensure that you

include it in all future privacy notices.

Further Reading

Why is the lawful basis for processing important?

The first principle requires that you process all personal data lawfully, fairly and in a transparent

manner. Processing is only lawful if you have a lawful basis under Article 6. And to comply with the

accountability principle in Article 5(2), you must be able to demonstrate that a lawful basis applies.

If no lawful basis applies to your processing, your processing will be unlawful and in breach of the first

principle. Individuals also have the right to erase personal data which has been processed unlawfully.

The individual’s right to be informed under Article 13 and 14 requires you to provide people with

information about your lawful basis for processing. This means you need to include these details in your

privacy notice.

The lawful basis for your processing can also affect which rights are available to individuals. For

example, some rights will not apply:

Relevant provisions in the GDPR - See Article 6 and Recital 171, and Article 5(2) 

External link



02 August 2018 - 1.0.248

However, an individual always has the right to object to processing for the purposes of direct marketing,

whatever lawful basis applies.

The remaining rights are not always absolute, and there are other rights which may be affected in other

ways. For example, your lawful basis may affect how provisions relating to automated decisions and

profiling apply, and if you are relying on legitimate interests you need more detail in your privacy notice

to comply with the right to be informed.

Please read the section of this Guide on individuals’ rights for full details.

Further Reading

What are the lawful bases for processing?

The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply

whenever you process personal data:

(a) Consent: the individual has given clear consent for you to process their personal data for a specific

purpose.

(b) Contract: the processing is necessary for a contract you have with the individual, or because they

have asked you to take specific steps before entering into a contract.

Relevant provisions in the GDPR - See Article 6 and Recitals 39, 40, and Chapter III (Rights of the

data subject) 

External link



02 August 2018 - 1.0.248

contractual obligations).

(d) Vital interests: the processing is necessary to protect someone’s life.

(e) Public task: the processing is necessary for you to perform a task in the public interest or for your

official functions, and the task or function has a clear basis in law.

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate

interests of a third party unless there is a good reason to protect the individual’s personal data which

overrides those legitimate interests. (This cannot apply if you are a public authority processing data to

perform your official tasks.)

For more detail on each lawful basis, read the relevant page of this guide.

Further Reading

When is processing ‘necessary’?

Many of the lawful bases for processing depend on the processing being “necessary”. This does not

mean that processing always has to be essential. However, it must be a targeted and proportionate way

of achieving the purpose. The lawful basis will not apply if you can reasonably achieve the purpose by

some other less intrusive means.

It is not enough to argue that processing is necessary because you have chosen to operate your

business in a particular way. The question is whether the processing is a necessary for the stated

purpose, not whether it is a necessary part of your chosen method of pursuing that purpose.

How do we decide which lawful basis applies?

This depends on your specific purposes and the context of the processing. You should consider which

lawful basis best fits the circumstances. You might consider that more than one basis applies, in which

case you should identify and document all of them from the start.

You must not adopt a one-size-fits-all approach. No one basis should be seen as always better, safer or

more important than the others, and there is no hierarchy in the order of the list in the GDPR.

You may need to consider a variety of factors, including:

What is your purpose – what are you trying to achieve?

Can you reasonably achieve it in a different way?

Do you have a choice over whether or not to process the data?

Are you a public authority?

Several of the lawful bases relate to a particular specified purpose – a legal obligation, a contract with

the individual, protecting someone’s vital interests, or performing your public tasks. If you are

processing for these purposes then the appropriate lawful basis may well be obvious, so it is helpful to

Relevant provisions in the GDPR - See Article 6(1), Article 6(2) and Recital 40 

External link



02 August 2018 - 1.0.248

consider these first.

If you are a public authority and can demonstrate that the processing is to perform your tasks as set

down in UK law, then you are able to use the public task basis. If not, you may still be able to consider

consent or legitimate interests in some cases, depending on the nature of the processing and your

relationship with the individual. There is no absolute ban on public authorities using consent or legitimate

interests as their lawful basis, but the GDPR does restrict public authorities’ use of these two bases.

The Data Protection Act 2018 says that ‘public authority’ here means a public authority under the

Freedom of Information Act or Freedom of Information (Scotland) Act – with the exception of parish and

community councils.

If you are processing for purposes other than legal obligation, contract, vital interests or public task,

then the appropriate lawful basis may not be so clear cut. In many cases you are likely to have a choice

between using legitimate interests or consent. You need to give some thought to the wider context,

including:

Who does the processing benefit?

Would individuals expect this processing to take place?

What is your relationship with the individual?

Are you in a position of power over them?

What is the impact of the processing on the individual?

Are they vulnerable?

Are some of the individuals concerned likely to object?

Are you able to stop the processing at any time on request?

You may prefer to consider legitimate interests as your lawful basis if you wish to keep control over the

processing and take responsibility for demonstrating that it is in line with people’s reasonable

expectations and wouldn’t have an unwarranted impact on them. On the other hand, if you prefer to

give individuals full control over and responsibility for their data (including the ability to change their



Example

A university that wants to process personal data may consider a variety of lawful bases depending

on what it wants to do with the data.

Universities are classified as public authorities, so the public task basis is likely to apply to much of

their processing, depending on the detail of their constitutions and legal powers. If the processing is

separate from their tasks as a public authority, then the university may instead wish to consider

whether consent or legitimate interests are appropriate in the particular circumstances, considering

the factors set out below. For example, a University might rely on public task for processing

personal data for teaching and research purposes; but a mixture of legitimate interests and consent

for alumni relations and fundraising purposes.

The university however needs to consider its basis carefully – it is the controller’s responsibility to

be able to demonstrate which lawful basis applies to the particular processing purpose.

02 August 2018 - 1.0.248

mind as to whether it can continue to be processed), you may want to consider relying on individuals’

consent.

Further Reading

When should we decide on our lawful basis?

You must determine your lawful basis before starting to process personal data. It’s important to get this

right first time. If you find at a later date that your chosen basis was actually inappropriate, it will be

difficult to simply swap to a different one. Even if a different basis could have applied from the start,

retrospectively switching lawful basis is likely to be inherently unfair to the individual and lead to

breaches of accountability and transparency requirements.

It is therefore important to thoroughly assess upfront which basis is appropriate and document this. It

may be possible that more than one basis applies to the processing because you have more than one

purpose, and if this is the case then you should make this clear from the start.

If there is a genuine change in circumstances or you have a new and unanticipated purpose which

means there is a good reason to review your lawful basis and make a change, you need to inform the

individual and document the change.

In more detail – ICO guidance

We have produced the lawful basis interactive guidance tool, to give more tailored guidance on

which lawful basis is likely to be most appropriate for your processing activities.

Key provisions in the Data Protection Act 2018 - see section 7 (Meaning of ‘public authority’ and

‘public body’) 

External link





Example

A company decided to process on the basis of consent, and obtained consent from individuals. An

individual subsequently decided to withdraw their consent to the processing of their data, as is their

right. However, the company wanted to keep processing the data so decided to continue the

processing on the basis of legitimate interests.

Even if it could have originally relied on legitimate interests, the company cannot do so at a later

date – it cannot switch basis when it realised that the original chosen basis was inappropriate (in this

case, because it did not want to offer the individual genuine ongoing control). It should have made

clear to the individual from the start that it was processing on the basis of legitimate interests.

Leading the individual to believe they had a choice is inherently unfair if that choice will be

irrelevant. The company must therefore stop processing when the individual withdraws consent.

02 August 2018 - 1.0.248

Further Reading

What happens if we have a new purpose?

If your purposes change over time or you have a new purpose which you did not originally anticipate,

you may not need a new lawful basis as long as your new purpose is compatible with the original

purpose.

However, the GDPR specifically says this does not apply to processing based on consent. Consent must

always be specific and informed. You need to either get fresh consent which specifically covers the new

purpose, or find a different basis for the new purpose. If you do get specific consent for the new

purpose, you do not need to show it is compatible.

In other cases, in order to assess whether the new purpose is compatible with the original purpose you

should take into account:

any link between your initial purpose and the new purpose;

the context in which you collected the data – in particular, your relationship with the individual and

what they would reasonably expect;

the nature of the personal data – eg is it special category data or criminal offence data;

the possible consequences for individuals of the new processing; and

whether there are appropriate safeguards - eg encryption or pseudonymisation.

This list is not exhaustive and what you need to look at depends on the particular circumstances.

As a general rule, if the new purpose is very different from the original purpose, would be unexpected,

or would have an unjustified impact on the individual, it is unlikely to be compatible with your original

purpose for collecting the data. You need to identify and document a new lawful basis to process the

data for that new purpose.

The GDPR specifically says that further processing for the following purposes should be considered to be

compatible lawful processing operations:

archiving purposes in the public interest;

scientific research purposes; and

statistical purposes.

There is a link here to the ‘purpose limitation’ principle in Article 5, which states that “personal data shall

be collected for specified, explicit and legitimate purposes and not further processed in a manner that is

incompatible with those purposes”.

Even if the processing for a new purpose is lawful, you will also need to consider whether it is fair and

transparent, and give individuals information about the new purpose.

Further Reading

Relevant provisions in the GDPR - See Article 6(1) and Recitals 39 and 40 

External link



02 August 2018 - 1.0.248

How should we document our lawful basis?

The principle of accountability requires you to be able to demonstrate that you are complying with the

GDPR, and have appropriate policies and processes. This means that you need to be able to show that

you have properly considered which lawful basis applies to each processing purpose and can justify your

decision.

You need therefore to keep a record of which basis you are relying on for each processing purpose, and

a justification for why you believe it applies. There is no standard form for this, as long as you ensure

that what you record is sufficient to demonstrate that a lawful basis applies. This will help you comply

with accountability obligations, and will also help you when writing your privacy notices.

It is your responsibility to ensure that you can demonstrate which lawful basis applies to the particular

processing purpose.

Read the accountability section of this guide for more on this topic. There is also further guidance on

documenting consent or legitimate interests assessments in the relevant pages of the guide.

Further Reading

What do we need to tell people?

You need to include information about your lawful basis (or bases, if more than one applies) in your

privacy notice. Under the transparency provisions of the GDPR, the information you need to give people

includes:

your intended purposes for processing the personal data; and

the lawful basis for the processing.

This applies whether you collect the personal data directly from the individual or you collect their data

from another source.

Read the ‘right to be informed’ section of this guide for more on the transparency requirements of the

GDPR.

Further Reading

Relevant provisions in the GDPR - See Article 6(4), Article 5(1)(b) and Recital 50, Recital 61 

External link



Relevant provisions in the GDPR - See Articles 5(2) and 24 

External link



Relevant provisions in the GDPR - See Article 13(1)(c), Article 14(1)(c) and Recital 39 

External link



02 August 2018 - 1.0.248

What about special category data?

If you are processing special category data, you need to identify both a lawful basis for processing and

a special category condition for processing in compliance with Article 9. You should document both your

lawful basis for processing and your special category condition so that you can demonstrate compliance

and accountability.

Further guidance can be found in the section on special category data.

What about criminal offence data?

If you are processing data about criminal convictions, criminal offences or related security measures,

you need both a lawful basis for processing and a separate condition for processing this data in

compliance with Article 10. You should document both your lawful basis for processing and your criminal

offence data condition so that you can demonstrate compliance and accountability.

Further guidance can be found in the section on criminal offence data.

In more detail – ICO guidance

We have produced the lawful basis interactive guidance tool, to give tailored guidance on which

lawful basis is likely to be most appropriate for your processing activities.

02 August 2018 - 1.0.248