Under the GDPR there are 6 lawful bases for processing.
Compliance with a legal obligation is the first such basis, and is considered by many the ideal one for data processing. Examples include employment records, accident health reports, etc.
Another legal basis for processing are contractual obligations. Firstly, there are the processing operations necessary for entering a contract. Secondly, there are cases when processing is necessary and permitted, even before entering into a contract. In these instances, it will usually be the data subject who initiates the processing, for example when making a purchase, credit card details may be needed to perform a payment. In these cases, the processing is permitted only for the specified purposes.
Vital interests is another case of legal basis for data processing. It should be the rarest used, however, as it usually applies to life-or-death situations.
When a task is carried out in the public interest or by a public authority, processing personal data is permitted. This legal basis can easily be subject to objection from the data subject. This may or may not stand, but its role is to allow the data subject to verify the controller’s definition of public interest.
Legitimate interest is another legal basis for processing under the GDPR. It is probably the most ambiguous of the 6 and deals with any processing that does not fall into the other categories. It should be used with caution and only in situations when the interests, rights and freedom of the data subjects do not override the controller’s interests. Examples of situations when legitimate interest is an appropriate basis for processing include fraud prevention, transmitting data for internal administrative purposes within the controller’s undertakings, or in certain relationships between the data subject and the controller such as client or services.
Finally, consent represents the sixth legal basis for processing. It has been extensively discussed in on the page dedicated specifically to consent.