UK GDPR explainer
The Six Lawful Bases for Using Your Data, Explained
Under UK GDPR, an organisation needs a valid reason before it can use your personal data at all. There are exactly six, and which one applies quietly shapes the rights you can use.
In short
UK GDPR sets out six lawful bases an organisation can rely on to use your personal data: consent, contract, legal obligation, vital interests, public task, and legitimate interests. It must choose the most appropriate one before processing begins. Consent is only one of the six, so most everyday data use rests on something else entirely.
Frequently asked questions
Does an organisation always need my consent to use my data?
No. Consent is only one of six lawful bases under UK GDPR. An organisation can also rely on contract, legal obligation, vital interests, public task, or legitimate interests, and must choose the most appropriate one before it starts processing. A great deal of everyday data use rests on a basis other than consent.
Can an organisation switch to a different lawful basis later?
Not freely. UK GDPR expects an organisation to identify the most appropriate basis before processing begins and to be transparent about it. It cannot quietly swap to a more convenient basis afterwards to sidestep a request, which is one reason knowing the stated basis is useful when you ask questions.
Which lawful basis do data brokers usually rely on?
Many businesses in the wider data economy, including data brokers, tend to rely on legitimate interests rather than consent. That is a factual feature of how the ecosystem is structured. It means you generally have a right to object and have your objection weighed, rather than a right to withdraw consent you never gave.
How do I find out which lawful basis applies to my data?
An organisation should set out its lawful bases in its privacy notice, and you can ask directly through a Data Subject Access Request (DSAR), which lets you ask what it holds about you and why. Knowing the basis helps you decide whether withdrawing consent or objecting is the request that fits.
Related terms
This is general information, not legal advice. For guidance on your own situation, consider speaking with a qualified professional.
Reviewed by OSINTA's founding lawyer — 2026-06-27.
Know the basis, then make your request
Once you understand which lawful basis an organisation relies on, the next step is asking it what it holds about you. Our DSAR guide walks through exactly how.