Six Lawful Bases under GDPR

The GDPR sets out six lawful bases for processing data— in other words, the legitimate reasons or legal justification for collecting and using someone’s personal information. At least one of these (and sometimes more than one) will always apply. Wherever you process personal data, you need to decide what is the most appropriate lawful basis for the processing.

In church contexts it is important to understand legitimate interest. It is very flexible and can apply in a range of circumstances but the disadvantage is that you take on more responsibility for considering other peoples’ rights and interests. Consent is a safe option because it places the control with data subjects.

What are the six lawful bases?


Consent is defined as any freely given, specific, informed and unambiguous indication of the data subject’s wishes – either by a statement or by clear affirmative action.  Even if a parishioner has been on your mailing list for 25 years, the data controller must be able to demonstrate that consent was given.  While not common practice, it is lawful to gain consent orally, but you must be very careful to document this immediately and accurately. 

It is good practice to offer data subjects options (eg separate tick-boxes for receiving the prayer diary, for service information and for general parish communications) and it must be as easy for them to withdraw consent as it was to give consent in the first place. 

The data controller must retain proof of consent being given – and withdrawn – for at least as long as the data is used.

You must be able to show that you are complying with the principles by providing evidence.

Legitimate interest

The processing of data is necessary for your legitimate interests or the legitimate interests of a third party, provided your interests do not outweigh those of the third party. For example, a PCC has a legitimate interest to process personal data of the PCC members, churchwardens, treasurer, etc  in order to circulate information about church business so they can carry out their roles effectively. Note with legitimate interest there is a balance/exchange: in this case people offer to hold office, in exchange the personal data is processed to help them to perform that office effectively and the interests are reasonably balanced.

Contractual necessity

This means that personal data may be processed if the processing is necessary so that a contract can be entered into with the data subject. 

Compliance with legal obligation

This can mean that personal data may be processed if the controller is legally required to perform such processing, such as to comply with the church representation laws, faculty law, tax law, health and safety, safeguarding of vulnerable persons.

Vital interests

This can be relevant in a life or death situation where it’s allowed to use a person’s medical or emergency contact information without their consent.

Public interest

Personal data may be processed if the processing is necessary for the performance of tasks carried out by a public authority or private organisation acting in the public interest. 

Last Updated

Jun 2024 – Reviewed and checked