You are here:

How to choose which ‘lawful basis’ to use under the GDPR

Ref: 34542
Last updated on 28 March 2018
School types: All · School phases: All
In-depth article
Under the GDPR, it’s crucial to identify the lawful basis (or legal reason) you can use to justify why you process personal data. Use the process below to work out which of the 6 lawful bases to use for each of your data processing activities, and avoid wasting time seeking consent that you don't need.

Article tools


  1. 1 What are the lawful bases and why do they matter?
  2. 2 Public task
  3. 3 Legal obligation
  4. 4 Fulfilling a contract
  5. 5 Vital interests
  6. 6 Legitimate interests
  7. 7 Consent
  8. 8 Additional conditions for special category and criminal offence data
  9. 9 What do we do once we've identified our lawful basis?

The Key has taken great care in publishing this article. However, some of the article's content and information may come from or link to third party sources whose quality, relevance, accuracy, completeness, currency and reliability we do not guarantee. Accordingly, we will not be held liable for any use of or reliance placed on this article's content or the links or downloads it provides. This article may contain information sourced from public sector bodies and licensed under the Open Government Licence.