Category: Compliance & AML · Reviewed by Mark Fox, Broker · Renewals · Last reviewed June 2026
The set of six exhaustive grounds — consent, contract, legal obligation, vital interests, public task and legitimate interests — at least one of which must apply for a processing of personal data to be lawful under UK GDPR.
Article 6 UK GDPR sets out the six lawful bases for processing personal data. At least one must apply, and the controller must identify it at the outset and disclose it to data subjects. The six bases are: (a) consent; (b) contract; (c) legal obligation; (d) vital interests; (e) public task; (f) legitimate interests.
UK GDPR, Article 6(1)(a)–(f) and Article 6(2)–(4) (further restrictions and Member State / UK specifications).
For each processing activity the controller identifies the lawful basis, documents the reasoning, and discloses it in privacy notices. The basis cannot be switched mid-processing without strong justification. Some bases carry additional procedural requirements — consent must be specific, freely given, informed and revocable (Article 7); legitimate interests requires a documented Legitimate Interests Assessment (LIA) balancing the interest pursued against data subject interests, rights and freedoms.
For special category data (Article 9), an Article 6 basis must be paired with an Article 9 condition. Children’s consent under Article 8 has additional safeguards (age 13 in the UK). Public task is generally not available to private-sector controllers.
Apex’s privacy notice typically identifies: contract (Article 6(1)(b)) for placing the customer’s policy; legal obligation (Article 6(1)(c)) for retention to meet FCA, tax and AML record-keeping duties; legitimate interests (Article 6(1)(f)) for ongoing service, claims handling, fraud prevention and marketing to existing customers, with an LIA on file. Consent (Article 6(1)(a)) is reserved for non-essential cookies and certain prospect-marketing channels.
UK GDPR, Article 6 and Article 7. ICO guidance on Lawful basis for processing.
By Matt Bartlett, Director, on 2026-06-11.
This entry is part of the Apex Insurance Wiki. Last reviewed by Matt Bartlett on 2026-06-11. Apex Insurance Brokers Limited, FCA FRN 724952, Companies House 07014570. Not regulated advice — consult your broker on your specific position.
Apex Insurance Brokers serves UK professional services firms and commercial businesses. Call 0117 325 0027, email hello@apexinsurancebrokers.co.uk, or request a quotation.
Get a quote