Guide: Data Privacy

The Lawfulness of Processing

The General Data Protection Regulation (GDPR) lists multiple legal bases for the permissibility of processing the personal data of data subjects. Depending on the specific context of the data processing activity and its intended outcome, a lawful basis for the processing of personal data may consist of more than one legal tenet.

Even with these regulations, most businesses must handle sensitive customer data to remain competitive. However, noncompliance with the GDPR can result in hefty fines and irreparable harm to a company’s reputation.

With that, this article will discuss the Lawfulness of Processing including:

This is part of our Data Privacy Guide.

What is the Lawfulness of Processing?

Whenever an organization processes personal data, it must have a reasonable basis under Article 6 of the General Data Protection Regulation. Necessity is the keystone of many legitimate legal grounds for the process of the law. However, this does not mean that the law of process is essential just that it can’t be merely practical or the norm. Instead, it ought to be an effective and reasonable means of accomplishing a specific purpose. If the same or similar results can be obtained using less invasive techniques, such as accessing fewer personal records, then the legitimate basis does not apply.


Justifying your commercial practices because they necessitate the law of process is not sufficient. The concern is not whether the processing is required as part of your chosen procedures but rather whether or not it is objectively necessary for the stated specific purpose.

Examples of Lawfulness of Processing

The GDPR outlines six requirements that organizations must abide by in order to lawfully process data. Here are the six examples of lawful processing of personal data:


The data subject has authorized the organization to treat its personal data for one or more specified processing purposes. Organizations must exercise caution when utilizing permission as their legal basis, especially when the subject is a child. This is because consent must be free, explicit, and easily withdrawn.

Performance of a Contract

Entering into a contract with the data subject necessitates the law of process. Notably, there must be another legal ground for personal processing data if it has nothing to do with fulfilling the contract.

Legitimate Interest

Data subjects typically anticipate this type of processing activity from the organizations to whom they provide their personal data, such as marketing and fraud prevention.


If the purposes of the legitimate interests pursued are used as a legal basis for processing, it must conduct a balancing test. The organization cannot rely on legitimate interest as a legal foundation for processing if the results of its balancing tests are unfavorable.

Vital Interest

Vital interest is an unusual method of the law of process when it might be necessary to preserve another person’s life. Vital interest typically occurs during times of urgent medical care.

Legal Requirement

Legal obligations necessitate the law of the process to be in compliance, such as one governing data privacy, data security, employment practices, or consumer contracts.

Public Interest

Public interest is a process of law carried out by a government agency or other official government-affiliated organization.

The Law of the Process: Deciding Which Lawful Basis Applies

The context and purposes of the processing will determine the applicable law of the process. Before deciding on a legal ground for processing, you should evaluate your reasons for applying for processing.


If you think more than one of the bases applies, you should list them immediately. Avoid using a blanket strategy, instead, detail each reason and provide some justification for the selection of that basis. After all, the GDPR does not prioritize any of the detailed legal grounds; thus, none of them should be considered inherently superior.


Several proper justifications involve:


  • Fulfilling a certain function, such as complying with the law.
  • Fulfilling a contract.
  • Defending someone’s life.
  • Doing your job.


The appropriate lawful basis may be clear if you are processing for these reasons; therefore, initially, it is helpful to decide on these justifications.

Challenges to Choosing the Law of the Process

Among the many reasons why picking a suitable legal ground for processing is crucial are:


  • There is only one valid reason to handle data at any given time, which you must know in advance. GDPR prohibits businesses from establishing the legal basis for processing personal data after the fact or switching back and forth between different legal grounds.
  • Whatever basis you adopt for the legality, you must be able to be to provide proof for this basis at all times. Any company processing personal information must be able to demonstrate in-house to data subjects and regulatory bodies the specific legal basis upon which it is processing such information.
  • To a large extent, how an organization handles requests for exercising data subjects’ rights is determined by the legal basis for processing, as different legal bases impose additional requirements, exceptions, and limitations on requests.
  • A company that processes data on several grounds must be able to properly tell which legislation of the process applies to which data set to comply with data subject rights requests.
  • Data that falls into a “special category,” such as information about a person’s race, ethnicity, religion, trade union membership, biometrics, or health, has its own set of legal grounds for processing. An example would be preventative or occupational medicine, public health, collective bargaining agreements, or the lawful activities of non-profit organizations.

The Lawfulness of Processing Best Practices

An organization needs to have a lawful basis for each processing activity to ensure compliance with GDPR. Consequently, businesses need to:


  • Examine everything they are doing with their stakeholders’ personal information and ensure legality;
  • where consent is used as a legal basis for processing, the organization should assess its present methods for gaining consent to ensure they are GDPR-compliant; and
  • where a legitimate interest is a basis for processing, the organization should keep records of its assessment of that legitimate interest to demonstrate that it properly considered the rights of data subjects.


Compliance with GDPR provides a competitive advantage, boosts reputations for best practices, and provides a platform for superior data insights if the appropriate tools and processes are implemented as soon as possible.


The lawfulness of data processing is both necessary and important to ensure compliance. Satori can help organizations secure their data and enable them to establish the lawfulness of processing and meet GDPR requirements. 


To learn more:


Last updated on

October 30, 2022

The information provided in this article and elsewhere on this website is meant purely for educational discussion and contains only general information about legal, commercial and other matters. It is not legal advice and should not be treated as such. Information on this website may not constitute the most up-to-date legal or other information. The information in this article is provided “as is” without any representations or warranties, express or implied. We make no representations or warranties in relation to the information in this article and all liability with respect to actions taken or not taken based on the contents of this article are hereby expressly disclaimed. You must not rely on the information in this article as an alternative to legal advice from your attorney or other professional legal services provider. If you have any specific questions about any legal matter you should consult your attorney or other professional legal services provider. This article may contain links to other third-party websites. Such links are only for the convenience of the reader, user or browser; we do not recommend or endorse the contents of any third-party sites.