Lawful Basis for Processing

The legal justification required under privacy laws like GDPR for processing personal data. GDPR Article 6 provides six lawful bases: consent, contract (processing necessary for contract performance), legal obligation (required by law), vital interests (protecting someone's life), public task (official functions or public interest), and legitimate interests (balancing organizational needs against individual rights). Every processing activity must have at least one lawful basis identified before processing begins. The lawful basis determines individual rights—for example, individuals can withdraw consent but can't withdraw contract-based processing if it's genuinely necessary for service delivery. Organizations should carefully select appropriate lawful bases, document the basis for each processing purpose, communicate the basis to individuals, not arbitrarily switch bases, and ensure processing aligns with the chosen basis. Selecting the wrong lawful basis is a common compliance mistake with serious implications.