Lawful processing reasons

News /

Processing personal data will only be permitted when it is lawful to do so and Article 6 of the GDPR allows processing on the following six grounds: 

1.  Consent 
2.  Necessary for performance of a contract 
3.  Necessary to comply with a legal obligation 
4.  Necessary to protect the vital interests of an individual 
5.  Necessary for performing public interest or official task 
6.  Necessary for the purposes of legitimate interests

Where an organisation needs to process for the performance of a contract or to comply with a legal obligation the lawful processing reason will usually be self evident. Grounds 4 and 5 will be the least used in the business sector. It is the consent and legitimate interests grounds that will attract most discussion about their functionality and genuine use as a lawful processing ground.


Consent may be seen as the most risk free and certain option, but the GDPR sets a high standard for consent as a lawful processing ground. Consent moves from a static, one-off, tick box consent to process all personal data received, to a dynamic, ongoing and active choice requiring affirmative action as it is the individual that controls when, why and to what they are consenting.

Consent is defined in Article 4(11) as:

“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her;”

Relying on consent as a lawful processing ground will be useful in respect of legitimising the use of special

category data and effecting overseas transfers, but this needs to be balanced against the ability of the individual to withdraw consent, and difficulties of ensuring and recording that consent has been given for the correct reason.

The ICO published final guidelines on the use of consent on 9 May 2018 - you can read them here.

Legitimate interests

In the absence of the contract performance or legal obligation grounds, processing personal data without consent in the private sector is permissible where there is a genuine and legitimate reason why the personal data is being processed and there is no unwarranted impact on the individual. In such circumstances, the legitimate interests processing ground can be used.

The Recitals of the GDPR give examples of where processing may be considered a legitimate interest, these include:

>  Processing for direct marketing purposes (caution required with PECR legislation)

>  To transmit personal data on an intra-group basis for internal administrative purposes

>  Prevention of fraud

>  Reporting of criminal acts

>  For the purposes of ensuring network and information security

The GDPR’s accountability principle makes it clear that organisations need to be able to demonstrate what lawful processing ground(s) is/are being used for the particular kind of personal data being processed.

Most organisations are likely to be processing the personal data of employees, contractors,customers, individuals connected with their suppliers. Personal data is as simple as a work email address provided it identifies the individual. Identifying and keeping written records why personal data needs to be processed is key to GDPR compliance.

Related services:

Quick links

The Legal 500 2021

“Very available and responsive to company developments in real time. Frank, clear advice – not just the ‘easy’ answer.”

The Legal 500 2022

“The solicitors who have handled our employment related issues are of the highest quality in terms of their specialist area of expertise, their professionalism and their approach to us as clients and as people. Special mention has to be made of Laura Livingstone. Laura became a key member of our team and felt more like a colleague than an external adviser – a colleague you could rely upon. Laura’s attention to detail, professionalism and responsiveness was second to none. Laura has come to know and understand us as individuals and this has enabled her to personalise her advice and even sometimes to preempt our future requirements. We have a very special and extremely valuable relationship with her and the firm.”

- The Legal 500

The Legal 500 2022

“Ince are an excellent “fit” with our specific needs. The firm has consistently provided a broad range of personnel-related advice and in our experience that advice has been consistently of the very highest professional standard: it has been timely, comprehensive, accurate and at a cost which is commensurate with the budget of an organisation of our size.”

- The Legal 500

The Legal 500 2022

“The firm has an unusually high degree of insight into the practices and policies required by the Gambling Commission as regards compliance with its own requirements and conditions – particularly Andrew Tait, derived from his previous in-house experience.”

- The Legal 500