How many lawful bases does GDPR provide?

Six, all set out in Article 6(1): consent, contract, legal obligation, vital interests, public task and legitimate interests. You must identify and document at least one lawful basis before you start processing personal data, and you should record which one you rely on for each purpose.

Can I use more than one lawful basis at once?

You should pick the single most appropriate basis for each processing purpose and stick to it. Switching bases later is difficult and can be unfair to individuals, because the available rights differ by basis. Document your choice up front rather than relying on several at once as a safety net.

Is consent always the best lawful basis?

No. Consent must be freely given, specific, informed and as easy to withdraw as to give, and people can revoke it at any time. Where processing is necessary to deliver a contract, comply with the law, or for a genuine legitimate interest, those bases are often more appropriate and more stable than consent.

Does this reference store what I enter?

No. The table and keyword filter run entirely in your browser. Nothing you type is uploaded, logged or stored anywhere.

GDPR Lawful Bases Reference

Q: What is the legitimate interests basis?

Legitimate interests lets you process data where it is necessary for your or a third party's genuine interest, provided that interest is not overridden by the individual's rights and freedoms. It is the most flexible basis but requires a documented three-part test (purpose, necessity and balancing) before you rely on it.

Email me this result

Get this tool's output sent to your inbox, plus one useful tool a week. No spam, unsubscribe any time.

Under the EU/UK General Data Protection Regulation, you may not process personal data unless you have a valid lawful basis. Article 6(1) sets out exactly six, and you must identify the right one for each processing purpose before you begin. This reference lists all six with the condition that triggers them, a plain example, and a note on how the basis affects individuals’ rights.

How it works

Each basis applies when its specific condition is met. Consent needs a clear, freely given opt-in. Contract covers processing necessary to deliver a contract the person is party to. Legal obligation covers processing required by law. Vital interests covers life-or-death situations. Public task covers official functions in the public interest. Legitimate interests covers a genuine business or third-party interest that is not overridden by the individual’s rights, and requires a documented balancing test. The basis you pick matters because it changes which rights apply — for example, the right to data portability only applies to consent and contract, and the right to object applies mainly to legitimate interests and public task.

Tips and notes

Document one lawful basis per purpose before processing, not afterwards.
Avoid defaulting to consent — it is the most fragile because it can be withdrawn.
Legitimate interests needs a written three-part test: purpose, necessity, balance.
Public task and legal obligation are mainly for public bodies and regulated duties.

GDPR Lawful Bases Reference

Email me this result

The six GDPR lawful bases for processing

How it works

Tips and notes