What is a legal basis under GDPR?

GDPR requires that all data controllers and processors have a valid legal basis in order to process personal data.

You must determine your legal basis before you begin processing and you should document it.  Your choice of legal basis depends on the purpose of the data processing. 

It is possible that you need to process the same set of personal data for a number of different purposes.  Each of those purposes needs to have a valid legal basis (not necessarily the same one).

You must be able to explain your legal basis for processing personal data in your privacy notice and when you answer a data access request. 


There are six legal basis allowed in GDPR

  • Consent must be specific, granular, clear, prominent, opt-in, documented and easily withdrawn

  • Individuals have stronger rights when data processing is based on consent – e.g., the right to erasure and data portability

  • Where the use of personal data is necessary for the performance of a contract with the individual or is required in order to put such a contract in place

  • For example, when you sign up for contracts for the supply of goods/services to customers you are usually required to provide some personal information such as your name, address, bank details etc.

  • Where a person's personal data is required in order to comply with either EU or Irish law
  • Examples of this is where employers are required to provide certain personal data of their employees to Revenue, or banks might need
  • Where the personal data of an individual  is required to protect either the vital interests  of that individual or the vital interest of another person and where that individual cannot give consent

  • Vital interests are intended to cover only interests that are essential for someone’s life. So this lawful basis is very limited in its scope, and generally only applies to matters of life and death.

  • This legal basis should only be relied upon when there is no other ground available, e.g. medical emergencies.

  • This basis  applies where the processing of personal data is required for the performance of a task or function that is carried out in the public interest or as part of the exercise of official authority vested in the data controller (e.g. public authority).

  • These public interests functions must have a legislative basis (i.e. must be set out in law).  This is most often a statutory function, but it may also constitute other public interest functions that have a constitutional, common law or other non-statutory legal basis.

  • Section 34 of the Irish Data Protection Act 2018 also provides a legislative basis for this legal basis. 

Examples of organisations that process personal data under a statutory remit

  • Department of Employment Affairs and Social Protection
  • Higher Education Authority
  • Health Research Board
  • Health Services Executive

Examples of organisations that process personal data under a non-statutory remit

  • National Employment Rights Authority
  • Professional bodies

Note - this legal basis only applies to these bodies in the performance of tasks that fall under their statutory remit. 

  • This basis is available to individuals and bodies, including commercial bodies, who are processing people’s personal data in ways those people would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the data processing
  • It includes individual interests, commercial interests and other broader societal interests
  • This legal basis is not available to public authorities in the performance of their public authority task

When can an organisation use the legal basis of legitimate interest?

  1. purpose - there must be a letitimate interest behind the processing
  2. necessary - it must be necessary for that purposes 
  3. justified - the justification of the legitimate interest of the organisation to process the data must be more important than the interests, rights and freedoms of the individual

Examples of where the legal basis of legitimate interests may apply:

  • company processing data for the purposes of complying with industry standards, regulatory requirements - e.g. financial institutions issuing credit, insurance companies sharing information etc.
  • industry watch-lists - e.g. non-payment, barred customers etc.
  • information-, system-, network- and cyber- security e.g. measures to prevent unauthorised access,, piracy and malware prevention, protecting IP rights, investigation and reporting of data breaches, product and product user security
  • Product development and enhancement
  • communications, marketing and intelligence - e.g. personalised service and communications, direct marketing, targeted advertising, analytics and profiling for business intelligence

Selection of examples taken from a 2017 study conducted by the Centre for Information Policy and Leadership, Hunton & Williams LLP (https://iapp.org/media/pdf/resource_center/final_cipl_examples_of_legitimate_interest_grounds_for_processing_of_personal_data_16_march_2017.pdf; last accessed 08/05/2018)

Where can I find "legal basis" in GDPR?

GDPR Article 6(2)(a)-(f)

GDPR Recitals 39 and 40


This guidance has been prepared by the HRB to help researchers in the health domain comply with GDPR requirements.

It is intended to be general guidance for educational and informational purposes only.

It is not legal advice.