Lawful bases for processing

Lawful Bases for Processing

Under GDPR, organizations must have a valid legal reason to process personal data. These “lawful bases” define when and why data can be collected, stored, or used. Unlike CPRA, which focuses on consumer rights and opt-outs, GDPR requires companies to declare and document their basis for each processing activity.

Consent

Individuals freely give informed and specific permission.

• Example: A user checks a box to receive marketing emails.

• Must be opt-in, not pre-checked, and easy to withdraw.

Contractual Necessity

Data is required to perform or prepare for a contract.

• Example: Processing a customer’s shipping address to deliver an order.

Legal Obligation

Data processing is needed to comply with the law.

• Example: Retaining payroll records to meet tax requirements.

Vital Interests

Processing is necessary to protect someone’s life.

• Example: Sharing health data in an emergency medical situation.

Public Task

Data is processed in the public interest or by official authority.

• Example: A government database maintaining census records.

Legitimate Interests

Processing is necessary for a business’s legitimate purposes, balanced against user rights.

• Example: Fraud detection or network security monitoring.

Quick Lawful Basis Checklist

• Confirm a lawful basis before processing any personal data

• Document the basis for each data category and purpose

• Avoid relying on “legitimate interests” without balancing test

• Provide transparency in your privacy policy

• Review lawful bases regularly as services evolve

Conclusion

Identifying and documenting lawful bases ensures every processing activity has a clear justification under GDPR. This not only reduces legal risk but also strengthens trust by showing users exactly why their data is being used.