← Glossary·Privacy

Lawful Basis (Legal Basis for Processing)

GDPR

One of six GDPR Art. 6 grounds that must apply for personal data processing to be lawful.

GDPR Art. 6(1) enumerates six lawful bases: consent, contract, legal obligation, vital interests, public task, and legitimate interests. Controllers must identify and document the lawful basis for each processing activity, and inform data subjects of it in the privacy notice.

Why it matters
‘Legitimate interests’ is widely abused — regulators expect a documented Legitimate Interests Assessment (LIA) balancing the interest against data-subject rights.

Related terms

Consent (GDPR)
Freely given, specific, informed, unambiguous indication by the data subject — must be as easy to withdraw as to give.
Personal Data (GDPR)
Any information relating to an identified or identifiable natural person (data subject) — Art. 4(1).
GDPR
EU regulation governing processing of personal data of EU/EEA data subjects; fines up to €20M or 4% of global turnover.

Does your program actually cover Lawful Basis (Legal Basis for Processing)?

Run a free ComplianceIQ audit against GDPR and we'll surface every gap on this — and the other controls auditors flag — with the exact clause references to fix.

Free GDPR auditBack to glossary