There are six available lawful bases for processing. No single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on your purpose and relationship with the individual.
The 6 legal bases are:
Contract - You can rely on this lawful basis if you need to process someone’s personal data:
- to deliver a contractual service to them; or
- because they have asked you to do something before entering into a contract (eg provide a quote).
Legitimate Intrest - You can rely on this lawful basis if you process personal information in ways, they would reasonably expect:
- which have a minimal privacy impact
- where there is a compelling justification for the processing
Consent - You can rely on this lawful basis for processing personal information when:
- a specific purpose for processing falls outside of the scope for which you obtained the data
- none of the other 5 legal bases for processing fit that specific purpose
- you are processing any sensitive or special category data
- you are processing a subject by means of automated decision making against a substantial database
Legal obligation - You can rely on this lawful basis if you need to process the personal data :
- to comply with a common-law
- to comply with a statutory obligation
Vital interest - You are likely to be able to rely on vital interests as your lawful basis if:
- you need to process the personal data to protect someone’s life
- you document the circumstances where it will be relevant and ensure you can justify your reasoning
Public interest - You can rely on this lawful basis if you need to process personal data:
- ‘in the exercise of official authority’. This covers public functions and powers that are set out in law; or
- to perform a specific task in the public interest that is set out in law.
You may need to store customers contact information in order to fulfil an order or contract, This could be deemed as processing under the legal basis of contract.
The customer refers a friend to you who enquires about your services, requesting a quote. Here you could process their information under the legal basis of legitimate interest.
You want to offer a special discount to promote your services to your existing customers. However 'promoting your services' is not what your customers shared their information with you for when acquiring your services. This means you will need to process their information under the leag basis of consent (granted permission), which will require them to grant you express permission to do so.
To run your company you manage a staff off 5. You are required by law to hold on to some of their personal information for HMRC purposes for up to 5 years. You hold this information for the legal basis of legal obligation.
One of your staff is taken ill one day at work, so your team access (process) his emergency contact information, fearing an emergency. Here they would be processing information for the legal basis of vital interest.
A crime has taken place outside of your office, in the field of view of your security cameras. The police make an official legally binding request to for you to share (process) those tapes with them. You may do so under the legal basis of public interest.
What the regulator says
The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
You should think about why you want to process the data, and consider which lawful basis best fits the circumstances. You can use the ICO's interactive guidance tool to help you.
You might consider that more than one basis applies, in which case you should identify and document all of them from the start.
You must not adopt a one-size-fits-all approach. No one basis should be seen as always better, safer or more important than the others, and there is no hierarchy in the order of the list in the GDPR.
Several of the lawful bases relate to a particular specified purpose – a legal obligation, performing a contract with the individual, protecting someone’s vital interests, or performing your public tasks. If you are processing for these purposes then the appropriate lawful basis may well be obvious, so it is helpful to consider these first.
In other cases you are likely to have a choice between using legitimate interests or consent.
If you choose to rely on legitimate interests, you are taking on extra responsibility for considering and protecting people’s rights and interests.