Legal basis

On what basis is data about you being processed?


The ‘legal basis’ is the foundation for data processing under the GDPR. It means that if an organisation wants to process personal data, there is a need to identify specific legal grounds for the processing.

There are six options:

  1. You gave consent for a specific use of your personal data
  2. You have a contract with the organisation
  3. The organisation has a legal obligation
  4. You have a vital interest, because your life is in danger
  5. The organisation has a public task to perform
  6. It’s in the legitimate interest of the organisation



Processing shall be lawful only if and to the extent that at least one of these bases applies.


For each process there needs to be a specific lawful basis. A company cannot choose whatever is convenient. There is only one option per processing activity



You have given clear consent for you to process their personal data for a specific purpose.

An organisation may ask for your consent to process your personal data. They must give you all the information you need to know about that specific processing activity. The information may not be ambiguous, and it must be clear to you for what specific usage of your personal data you consent to.

Of course, you must be able to give your consent freely. The organisation may not force or trick you into giving consent. You may always withdraw your consent.
For children, consent should sometimes be given by their parents or legal guardian.  


The processing of personal data is necessary for a contract you have with an organisation.

For example, when your personal data must be processed when you work for an organisation. In that case you have a contract with that organisation. A contract doesn’t have to be as formal as an employment contract. This lawful basis may also be used when you have a prescription for a magazine, online service, internet abonnement for your mobile phone etcetera.  


The processing of your personal data is necessary for you to comply with the law.

In this case there’s a specific law which tells you to process personal data in a certain way. The organisation you work for must, for instance, share your salary information with tax authorities. Or you are ordered by the police to give certain information.  


The processing of your personal data is necessary to protect your life. This legal ground may only be used if there’s no other way to save a life.

For instance, you are in immediate danger, but unconscious or mentally unable to give consent. Or when assistance must start immediately in the event of a large-scale disaster.  


The processing of personal data is necessary to perform a task in the public interest and the task or function has a clear basis in law.

In this case, there’s not a certain law which tells what personal data an organisation should process specifically, but the task an organisation performs is defined in a law.

For example, a school has a public task to teach children or a local government may use camera surveillance in public places since they have a task to take care of public safety and order.  


The processing of your personal data is necessary for your legitimate interests (not applicable if there is a conflict with the data subject’s interests).

This means, the organisation must demonstrate:
1) this activity is really necessary for business activities.
2) The organisation really needs to process your personal data inthis manner for that business activity, and
3) weigh your interests against the organisation’s interests. Your interests, rights and freedoms must not be harmed.