Legal Obligation (Processing Basis)

A lawful basis for processing under GDPR Article 6(1)(c) applicable when processing is necessary to comply with a legal obligation to which the controller is subject. This basis covers situations where law requires you to process personal data—like tax reporting, employment law compliance, anti-money laundering checks, or responding to lawful government requests. The legal obligation must come from EU law, member state law, or in limited cases, other sources. The key word is 'necessary'—processing must be required by law, not just permitted or helpful. Organizations can't create legal obligations through contracts to manufacture this basis. Legal obligation processing doesn't require consent and overrides objection rights. However, transparency obligations still apply—you must inform individuals about the legal obligation and the required processing. Common examples include employee tax reporting, retaining business records per accounting regulations, and complying with court orders.