Lawful Basis
What does lawful basis mean?
A lawful basis is the legal justification an organization must have before collecting or using personal data. Privacy laws such as the GDPR require organizations to identify and document one of several recognized lawful bases before processing begins. These bases explain why data is being processed and determine the rights individuals have in relation to that processing.
How does lawful basis work?
A lawful basis must be chosen for each processing activity. Under laws like GDPR, the six possible lawful bases are: consent, contract, legal obligation, vital interests, public task, and legitimate interests. The organization must select the basis that accurately reflects the purpose of the activity and cannot switch it later without a valid reason. The chosen basis must be clearly explained to individuals in a privacy notice, and organizations must be able to demonstrate why the basis applies if questioned by regulators or users.
FAQs about lawful basis
Privacy laws require organizations to process personal data only when they have a clear legal reason. This ensures individuals understand why their information is being collected and limits the ability of organizations to use data for new or unrelated purposes without additional justification.
No. The lawful basis must match the actual purpose of the processing. For example, consent is appropriate when individuals have a genuine choice, while a legal obligation applies when processing is required by law. Organizations must choose the most accurate basis rather than the most convenient one.
Changing the lawful basis is generally discouraged and allowed only when the purpose of processing has clearly changed. For example, if a new legal requirement arises, the basis may shift to legal obligation. However, organizations cannot switch bases simply to avoid obligations such as consent withdrawal.
The six bases are:
- Consent – the individual freely agrees to the processing.
- Contract – processing is necessary for a contract or requested steps.
- Legal obligation – processing is required to comply with the law.
- Vital interests – necessary to protect someone’s life or safety.
- Public task – carried out by public authorities or in the public interest.
- Legitimate interests – necessary for an organization’s interests unless overridden by the individual’s rights.
Yes. The rights individuals can exercise may differ depending on the lawful basis. For example, when processing is based on consent, individuals may withdraw consent. When based on legitimate interests, individuals have the right to object. Organizations must understand these differences to respond correctly to user requests.