GDPR Legal Grounds for Processing Personal Data (Article 6)
Learn the legal bases for processing personal data under GDPR, including consent, contract needs, legal duties, vital interests, public tasks, and legitimate interests.
Quick answer: the GDPR gives six lawful grounds for processing
There are six main grounds for processing personal data under GDPR Article 6. They are the GDPR lawful processing grounds that let an organisation process data in a way that meets the law. If you cannot fit your use case into one of these grounds, processing is not lawful under Article 6.
In practice, “ground” means the reason you have for processing. The same activity can look similar across businesses, but the legal basis choice must match the real purpose and the real need. This is part of the broader GDPR idea that you should be clear and fair about data use.
When people search for how many grounds of processing exist under GDPR, they usually want clarity on what counts as a valid reason. This guide explains each ground and how to think about it without guessing.
What “legal basis” means under GDPR
Under GDPR processing requirements, you must decide on a legal basis before you start processing. That basis must be able to justify the specific processing operation you plan. For example, storing a record is one operation, while sharing it is another.
GDPR also expects you to support your choice with facts. If you claim a ground like consent, you should be able to show how it was obtained and what the person was told. If you claim a contract ground, you should point to the agreement terms that require the processing.
Article 6 grounds are meant to balance different interests. Some grounds focus on the person’s choice. Others focus on legal duties or practical necessity. Still others rely on a public purpose or a business interest, with safeguards.
Overview of GDPR grounds under Article 6
The six main grounds for processing under GDPR are listed in Article 6. A quick way to remember them is: choice (consent), necessity for exchange (contract), duty (legal obligation), safety (vital interests), public purpose (public task), and balance (legitimate interests).
Below is a plain-language map of each ground and the typical “fit”. Use this to identify which one you might rely on, then test it against your scenario.
| GDPR Article 6 ground | Typical examples of when it fits | Main idea |
|---|---|---|
| Consent | Marketing emails where opt-in is needed | Person agrees to a specific use |
| Contractual necessity | Processing for delivery of goods | Needed to perform the contract |
| Legal obligation | Tax or employment record keeping | Required by law on the controller |
| Vital interests | Emergency medical treatment | Needed to protect life |
| Public task | Welfare administration | Processing for public interest work |
| Legitimate interests | Fraud prevention in many settings | Business goal is balanced with rights |
One common mistake is picking a ground just because it sounds “close”. GDPR requires a real match between the processing and the legal basis. If several bases could apply, choose the one that you can explain and evidence most reliably.
Consent as a valid basis for processing
Valid consent is one of the clearest legal bases, but it comes with strict conditions. Consent must be clear, specific, and informed. It should relate to the particular processing purpose, not a vague blanket permission.
If you are relying on consent, you should be ready for practical questions. What did the person see before consenting? Was the message understandable? Could they say no without losing a core service they are entitled to?
Consent also must be freely given, and people must be able to withdraw it at any time. Withdrawal should be as easy as giving consent, and it must not create an unfair penalty. Importantly, withdrawal does not undo processing already done lawfully while consent was in place.
- Good fit: opt-in for a marketing newsletter where you only send if the person agrees.
- Weak fit: pre-ticked boxes or consent bundled into unrelated terms.
- Watch-out: consent for one purpose cannot automatically cover a new purpose.
Contractual necessity (when processing is needed to perform)
Processing can be lawful under the contractual necessity ground when it is necessary for the performance of a contract. The key word is “necessary”. You should be able to show that the processing is needed to carry out the contract, not just convenient for the business.
For example, if a customer buys a product, the seller needs shipping details to deliver it. If the processing is about payment and delivery coordination, it may be part of performing the contract. If you process extra data that is not needed for the contract, you will often need another legal basis.
This ground is also limited by how you build your terms. You should connect the processing to the duties in the agreement, such as administration, delivery, and account management. GDPR expects you to be able to explain that link clearly.
- Identify the contract obligations you must satisfy.
- List each processing step that supports those obligations.
- Check whether the same goal could be met without that data.
- Keep your privacy notice aligned with what you truly do.
Legal obligations that require processing
Another ground is legal obligation. This applies when processing is required to comply with a legal duty imposed on the data controller. The duty comes from law, not from internal policy, voluntary standards, or business preference.
Typical examples include keeping certain records for tax, following specific workplace rules, or meeting regulatory reporting duties. In these cases, you should be able to point to the relevant legal requirement that forces the processing.
When relying on this ground, do not treat it as a general “backup” for anything you might want to do. The processing must be required, and you should limit it to what the legal rule actually needs.
- Use this ground when a statute or regulation mandates the processing.
- Document the legal source and the exact processing it drives.
- Apply data minimisation so you only process what is needed.
Vital interests: protecting someone’s life
Vital interests allow processing when it is necessary to protect someone’s life. This ground is often associated with emergencies and serious harm. It is not a general “health and safety” permission; it is specifically about life-threatening situations.
Imagine an unconscious patient who needs immediate care. A hospital may need to process health-related personal data to provide treatment and coordinate emergency response. The processing would be justified because it is necessary to protect vital interests in a critical moment.
Even in urgent cases, the processing should still be proportionate. You should avoid using this ground to justify broad or long-term processing when a less intrusive approach could work.
Public task and legitimate interests (balance and purpose)
Two grounds rely on public purpose and on balancing interests. Public task applies when processing is necessary to perform a task carried out in the public interest. This ground often matters for authorities and bodies acting under a public mandate.
For public tasks, you should focus on necessity and the legal framework that assigns the task. The processing should be tied to the function, not to unrelated goals. If you are acting as a public body or contracted organisation, you need to check whether the task is truly part of the public interest role.
Then there is legitimate interests. This ground can justify processing unless the person’s rights override it. That means you must weigh your interest in processing against the impact on the individual. When the person would reasonably expect a different outcome, your interest may not be enough.
Legitimate interests often shows up in operational contexts like fraud prevention or service security. Even so, you must be careful. You should assess how intrusive the processing is, what safeguards exist, and whether alternatives are available.
- Public task: processing needed for an assigned public interest function.
- Legitimate interests: processing needed for a real business aim, balanced fairly.
- Override risk: stronger person rights can limit your reliance.
Choosing the right ground and documenting your decision
GDPR requires more than selecting an option on a list. You should record your reasoning so you can explain it to regulators and affected people. A good practice is to connect each processing step to a single Article 6 ground, plus any required safeguards.
Start with the purpose. Then confirm what data is used, why it is needed, and what would happen if you did not process it. That analysis helps you distinguish between contractual necessity, legal duty, and legitimate interests.
When you rely on consent, you document the consent flow and withdrawal method. When you rely on legitimate interests, you document the balance. When you rely on public tasks, you document the mandate and necessity. This is how legal bases for processing personal data become operational, not just theoretical.
If you get it wrong, you can have downstream problems. People may exercise rights you did not expect. You may face complaints or enforcement attention. Getting the ground right early reduces those risks.
FAQ
How many grounds of processing exist under GDPR?
There are six grounds in GDPR Article 6. They cover consent, contract necessity, legal obligation, vital interests, public task, and legitimate interests.
What are the main grounds for processing under GDPR?
The main grounds are consent, contractual necessity, legal obligation, vital interests, public task, and legitimate interests. Each one depends on different facts about your purpose and necessity.
When can we rely on contractual necessity?
You can rely on contractual necessity when processing is needed to perform the contract you have with the individual. If the processing is only optional or for convenience, it may not fit.
Is consent always required for processing personal data?
No. Consent is one legal basis, but you can also use other bases like contract necessity, legal obligation, public task, or legitimate interests when conditions are met.
Can legitimate interests justify any kind of processing?
No. Legitimate interests must be balanced against the person’s rights. If the person’s rights override your interests, you should not rely on this ground.
What does “vital interests” cover?
Vital interests covers processing needed to protect someone’s life. It is typically relevant in urgent or life-threatening situations.
FAQ
- How many grounds of processing exist under GDPR?
- There are six grounds in GDPR Article 6. They are consent, contract necessity, legal obligation, vital interests, public task, and legitimate interests.
- What are the legal bases for processing personal data under GDPR?
- The legal bases are the six GDPR Article 6 grounds. Each one supports a different type of processing fact pattern.
- What makes consent a valid basis under GDPR?
- Consent must be clear, specific, and informed. People can withdraw it at any time, and withdrawal should be as easy as giving consent.
- When can contractual necessity justify processing?
- Contractual necessity fits when processing is needed to perform the contract. Processing must be necessary, not merely helpful.
- How does the legal obligation ground work under GDPR?
- It applies when processing is required to comply with a law imposed on the data controller. The processing must match what the legal rule requires.
- What is the difference between public task and legitimate interests?
- Public task covers processing needed for a task in the public interest. Legitimate interests is a balancing test unless the person’s rights override it.
