Boddy Matthews

  Boddy Matthews  

No Consent? Other Lawful grounds…


Our previous GDPR update pointed out one common misconception that you need consent to process personal data. Consent is only one of the six lawful bases for all processing of personal data (unless an exemption or derogation applies). This is not a new requirement. Current data protection laws also place an obligation on organisations to have a lawful basis for each processing activity.


The six lawful bases to process personal data under Article 6 are:


a) Consent

  • The data subject has given consent to processing of personal data for specific reasons.

b) Contractual necessity

  • Processing is permitted if it is necessary for the entry into, or performance of, a contract with the data subject or in order to take steps at his or her request prior to the entry into a contract.

c) Compliance with legal obligations

  • Processing is permitted if it is necessary for compliance with a legal obligation under EU law or the laws of a Member State.

d) Vital Interests

  • Processing is permitted if it is necessary in order to protect the vital interests of the data subject or of another natural person. In practice this will generally only apply to matters of life and death.

e) Public Interest

  • Processing is permitted if it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. This is most likely to be relevant to public authorities.

f) Legitimate Interests

  • Processing is permitted if it is necessary for the purposes of legitimate interests pursued by the controller or by a third party, except where the controller's interests are overridden by the interests, fundamental rights or freedoms of the data subjects which require protection, particularly where the data subject is a child.
    - Identify a legitimate interest e.g. a commercial interest.
    - Processing must be necessary to achieve the legitimate interest.
    - Balance the legitimate interest against the individual’s interests.

You need to consider which basis is most appropriate to each processing purpose for your business. A regular review should confirm the most appropriate basis. Keep a record of the basis and notify data subjects of the relevant lawful bases applicable to your business in your privacy notices.


Office Address


Boddy Matthews Limited
7-11 High Street
Reigate, Surrey




+44 (0) 1737 339838

Chambers / Legal 500


undefined undefined

Follow Us


Facebook Twitter Pinterest Linkedin

Legal Information


Company Information
Terms of Business
Anti-Bribery & Corruption Statement
Slavery & Human Trafficking Statement
Diversity Policy
Privacy Policy
Cookie Policy