The GDPR requires that data controllers and processors establish and document a lawful basis before processing any personal data. Article 6 outlines the six scenarios for lawful data processing:
Consent - The data subject consents knowingly and unambiguously.
Contract - Data processing is necessary for fulfilling or entering into an agreed-upon contract.
Legal obligation - A data controllerâs legal obligations require it.
Vital interests - Data processing will protect an interest âwhich is essential for the life of the data subject.â
Public interest - Data processing is required for a task that is legal and completed in the âpublic interest.â
Legitimate interest - The data controller can offer a âlegitimate interestâ that doesnât breach a userâs âfundamental rights and freedomsâ
The unifying theme between all the lawful processing scenarios is that they are tied to a specific reason or purpose. According to the Information Commissionerâs Office:
No single basis is âbetterâ or more important than the others â which basis is most appropriate to use will depend on your purpose and relationship with the individual.
Itâs important to note that lawful basis must be identified and documented (internally and in your public privacy policy) before data processing starts. Be mindful during this processâonce you establish one lawful basis, itâs not recommended (and potentially not legal) to switch to a different one in the future.
Itâs also important to note that documenting lawful basis does not give an organization data processing carte blanche, meaning it canât be used to justify data processing that doesnât actually need to happen. If the same purpose can easily be achieved without data processing, lawful basis doesnât apply.