What is Lawful Basis for Processing?

A lawful basis for processing is the legal justification a controller must have to process personal data under GDPR Article 6, which sets out exactly six: consent, contract, legal obligation, vital interests, public task, and legitimate interests. At least one must apply to every processing activity, and you should identify it before you start.

The GDPR allows no processing of personal data without one of the six Article 6 bases, and you must document which one applies to each activity. Consent is only one option — and often the weakest, because it must be freely given and can be withdrawn — so contract or legitimate interests are frequently more appropriate. For example, a shop relies on "contract" to process an order, "legal obligation" to keep tax records, and "legitimate interests" for fraud screening.

Special-category data (health, biometrics, race, and similar under Article 9) needs an additional Article 9 condition on top of the Article 6 basis — a common point that is missed.

Mapping a lawful basis to each entry in your Record of Processing Activities is core to accountability, and privacy-notice and assessment templates help you record and explain those choices consistently. The documentation captures your reasoning; it doesn't substitute for actually having a valid, defensible basis for what you do with the data.

Related terms: Personal Data · Records of Processing Activities (RoPA) · Data Subject Access Request (DSAR) · Data Protection Impact Assessment (DPIA)

Frequently asked questions

How many lawful bases are there under the GDPR?
Exactly six, listed in Article 6(1): consent, performance of a contract, compliance with a legal obligation, protection of vital interests, performance of a public task, and legitimate interests.
Do I always need consent to process personal data?
No. Consent is just one of the six bases and is often not the best choice, since it must be freely given and can be withdrawn. Contract, legal obligation or legitimate interests frequently fit ordinary business processing better.
Is a lawful basis enough for sensitive data?
No. Special-category data under Article 9 — such as health, biometric or racial data — requires both an Article 6 lawful basis and a separate Article 9 condition before you can process it.

Toolkits that cover Lawful Basis for Processing

EU GDPR

GDPR Compliance Pack for Small Business

14 editable GDPR documents — privacy notices, DSAR procedure, DPIA, breach response, processor DPA checklist — plus a pre-filled Records of Processing Activities (Art. 30) workbook and evidence checklist.

$7930% off with codeView toolkit

Learn more in our GDPR guide, explore the editable policy templates, or browse the full compliance glossary.

← Back to the compliance glossary

Professional editable templates — general information only, not legal, audit, tax, or certification advice, and no professional or advisory relationship is created. No purchase makes an organization compliant or certified. Review each document with qualified counsel, your compliance professional, or your auditor before relying on it. ISO, IEC, SOC 2, AICPA, HIPAA, NIST, GDPR, the EU AI Act, IRS and FTC are referenced descriptively only; ComplianceDocs (ExpertEngine LLC) is independent and is not affiliated with, endorsed by, or certified by any standards body, regulator, or audit firm.