Explainer: Legal Basis

On what basis is your data being processed? 

On what grounds?

The ‘legal basis’ is the foundation for data processing under the General Data Protection Regulation (GDPR). This means that when an organisation wants to process personal data, there is a need to identify specific legal grounds for the processing. 

‌In other words: on what grounds is the organisation processing your data?

Types of legal grounds

There are six types of legal grounds for data processing: 

1 - You gave consent for a specific use of your personal data 
‌2 - You have a contract with the organisation 
‌3 - The organisation has a legal obligation 
‌4 - You have a vital interest, because your life is in danger 
‌5 - The organisation has a public task to perform 
‌6 - It’s in the legitimate interest of the organisation

  • When is data processing lawful?
  • Processing is only lawful when at least one of these bases appliesFor each process there needs to be a specific lawful basis. An organization cannot choose whatever is convenient. There is only one option applicable per processing activity.


You have given clear consent for you to process their personal data for a specific purpose. ‍ 

‌An organisation may ask for your consent to process your personal data. They should give you all the information you need to know about that specific processing activity. The information may not be ambiguous, and it must be clear to you for what specific usage of your personal data you consent to. 

‌You must be able to give your consent freely (without force) and you may always withdraw the consent.


The processing of personal data is necessary for a contract you have with an organisation. 

‌Examples are a contract when your data is processed in order to work somewhere, a contract of subscription or when using an online service.

Legal Obligation

The processing of your personal data is necessary for you to comply with the law. In this case there’s a specific law which tells you to process personal data in a certain way. 

‌The organisation you work for must, for instance, share your salary information with tax authorities. Or you are ordered by the police to give certain information.  

Vital Interest

The processing of your personal data is necessary to protect your life. This legal ground may only be used if there’s no other way to save a life. 

‌For instance, you are in immediate danger, but unconscious or mentally unable to provide your consent. Or when assistance must start immediately in the event of a large-scale disaster.  

Public Task

The processing of personal data is necessary to perform a task in the public interest and the task or function has a clear basis in law. ‍ 

‌In this case, there’s not a certain law which tells what personal data an organisation should process specifically, but the task an organisation performs is defined in a law. 

‌For example, a school has a public task to teach children or a local government may use camera surveillance in public places since they have a task to take care of public safety and order.  

Legitimate Interest

The processing of your personal data is necessary for your legitimate interests. This is not applicable if there is a conflict with the data subject’s interests. 

‌This means, the organisation 
‌  a) must demonstrate this activity is really necessary for business activities;
‌  b) needs to process your personal data in this manner for that business activity; 
  ‌and c) weigh your interests against the organisation’s interests. Your interests, rights and freedoms must not be harmed.  

Need more detailed information? Check the Documentation page.