Under GDPR, organisations are required to have a lawful basis to process personal data.


Why is this important?

The first principle of the GDPR requires that personal data is processed lawfully, fairly and in a transparent manner.   Processing is only lawful if there is a lawful basis.

And to comply with the accountability principle it is necessary to demonstrate that a lawful basis applies.

And because individuals have a right to be informed, it’s a requirement that individuals are provided with information about your lawful basis for processing.


What are the lawful bases for processing?

Article 6 of the GDPR sets out the lawful bases for processing personal data.

It is worth remembering that processing is only lawful if at least one of these bases apply.

  • Consent.   The individual has given clear consent for you to process their personal data for a specific purpose.

  • Contract. The processing is necessary for the performance of a contract to which the individual is a party.

  • Legal obligation.   The processing is necessary for compliance with a legal obligation.

  • Vital interests. The processing is necessary in order to protect the vital interests of the individual or another person.

  • Public task.   The processing is necessary for the performance of a task carried out in the public interest.

  • Legitimate interests. The processing is necessary for your legitimate interests or the legitimate interests of a third party, except where such interests are overridden by the interests of the individual whose data you’re processing.



The principle of accountability requires those processing personal data to demonstrate that they’re complying with the GDPR, and have appropriate policies and processes. This means that agents will need to be able to show that they’ve properly considered which lawful basis applies to each processing purpose, and can justify that decision.

In addition, you will need to include information about your lawful basis in your privacy notice, including:

  • Your intended purpose for processing the personal data; and
  • the lawful basis for the processing.