How do we carry out ADM lawfully?
Latest updates - 31 March 2026
31 March 2026 - We have updated this draft guidance to reflect changes to the UK GDPR following the Data (Use and Access) Act 2025 (DUAA).
- We’ve added content about how you can determine whether the processing you undertake falls within the scope of the UK GDPR’s article 22A provisions that relate to solely automated decisions with significant effects. We use the short-hand automated decision-making (ADM) across this guidance when we refer to this kind of processing.
- We’ve also clarified when your ability to undertake ADM has certain restrictions and what conditions you must satisfy in these cases.
- We’ve created a new section about the safeguards you must put in place, as well as the rights people have about the ADM that affects them.
In detail
- What does it mean for our ADM to be lawful?
- When can we rely on consent?
- When can we rely on contract?
- When can we rely on public task?
- When can we rely on legitimate interests?
- What about the other lawful bases?
What does it mean for our ADM to be lawful?
The first principle of the UK GDPR is about using personal information lawfully, fairly and transparently. You must identify a lawful basis for your use of personal information in the context of ADM, including when it uses profiling. This is the case whether or not you intend to carry out ADM.
Article 6 of the UK GDPR sets out seven lawful bases. No one basis is better or more important than the others. The appropriate one depends on why you want to use personal information and your relationship with the people involved.
There’s only one lawful basis that you can’t use for ADM. The UK GDPR says that you can’t base these decisions entirely or partly on the recognised legitimate interest lawful basis. (For more information, see Can we carry out ADM?.)
Why is it important to get this right?
Take care to use the lawful basis that’s most appropriate for the circumstances of your processing and the relationship you have with people.
The lawful basis you decide on impacts the rights they have. For example, the right to object applies when you use the public task or legitimate interests lawful basis, so you must take this into account if you choose to rely on these when you carry out ADM. People also have the absolute right to object to you using their information for direct marketing purposes (including profiling for these purposes), whatever lawful basis applies.
And people’s right to data portability only applies where the lawful basis is consent or contract.
You must:
- assess and document your lawful basis as part of your accountability obligations;
- tell people about your lawful basis in your privacy information; and
- Inform people about the specific requirements about ADM, like the significance and envisaged consequences it may have on them. (See What rights do people have?.)
You should also include relevant details in your DPIA. Remember, you must carry out a DPIA where your processing activities are likely to result in a high risk to people’s rights and freedoms. (For more information about DPIAs for ADM, see Do we have to do a data protection impact assessment (DPIA)?.)
Whichever lawful basis you use, you must implement the safeguards for any ADM. (See What are the safeguards in the ADM provisions?.)
The UK GDPR also allows you to base ADM entirely or partly on special category data. But if you do, you must identify:
- a lawful basis in article 6;
- a relevant condition for processing in article 9; and
- a special category data condition for significant decisions in article 22B.
(See When can we use special category data in our ADM?.)
If your use of ADM involves reusing personal information for a new purpose, you must ensure that your new purpose is compatible with the original purpose you collected the information for. The UK GDPR sets out rules to help you decide whether your new purpose is compatible with your original purpose. It also lists several circumstances where reuse for a new purpose is treated as compatible with the original purpose. But if your reuse doesn't meet these conditions, you must carry out a compatibility assessment.
Either way, you must identify a lawful basis for your new purpose. This is important because it links to the fairness, lawfulness and transparency principle.
In some cases your original lawful basis might be sufficient, but in other cases a different one may be more appropriate. Where your new purpose is compatible, you are likely to be able to rely on legitimate interests as the lawful basis for the new processing, provided your use of the personal information is necessary for that purpose.
When is ADM ‘necessary’?
Many of the lawful bases available depend on your use of personal information being ‘necessary’. This does not mean that ADM has to be absolutely essential. But it does mean that you must ensure it is a targeted and proportionate way of achieving a specific purpose. The processing won’t be ‘necessary’ if you can reasonably do this by some other less intrusive means, or by processing less personal information.
It's also not enough to argue that using ADM is ‘necessary’ because you choose to operate your business in a particular way. The question is whether this is objectively necessary for your stated purpose.
Similarly, ADM may allow for:
- greater consistency in your decision-making process (eg by mitigating the risks of bias or discrimination resulting from human error); or
- efficiency improvements (eg through delivering significant decisions more quickly).
While these are some of the key benefits, they’re not enough on their own to make this kind of processing ‘necessary’.
What lawful bases are likely to apply?
In practice, the lawful bases that are most likely to be relevant for using personal information when you carry out ADM are:
- consent;
- contract;
- public task; and
- legitimate interests.
You could use our lawful basis interactive guidance tool to help you work this out.
When can we rely on consent?
In the context of this guidance, consent is about giving people genuine choice and control over whether and how you use their personal information to undertake ADM. It may be appropriate where you have a direct relationship with them. If you can’t offer this genuine choice to people, consent isn’t appropriate. Therefore, consent may not be available as a lawful basis in these cases:
- You still process the personal information on a different lawful basis if someone refuses or withdraws consent. In so, seeking consent is misleading and inherently unfair. It presents people with a false choice and the illusion of control.
- You require someone to agree to processing as a condition of service. If you believe the processing is necessary for the service, the contract lawful basis is likely to be more appropriate. If the processing isn’t actually necessary for the service, consent is invalid as it isn’t freely given.
- You’re in a position of power over someone (eg you’re a public authority or an employer using employee information). That person may feel they have no choice but to agree, meaning their consent isn’t freely given either.
You must ensure that consent is informed and specific. For consent to be valid, you must be able to show that people understand exactly what they are consenting to. You must give people enough information about what you want to do and what potential impacts it may have on them. This ensures that any consent they give represents their informed choice and agreement.
You should remember profiling can often be invisible to people. For example, if it involves personal information that you obtain from somewhere other than directly from the person themselves. This sort of invisible processing may mean that it is challenging for you to show that you have valid consent because it isn’t informed or specific in these cases.
People also have the right to withdraw their consent at any time. You must make it as easy for them to withdraw consent as it was to give it.
If you’re in a position of power, you should avoid relying on consent. For example, if you’re a public authority or an employer. This is because it is challenging for you to demonstrate that people can freely give their consent or they have a genuine choice.
If you still process the information on a different lawful basis even if consent is refused or withdrawn, seeking consent from a person is misleading and inherently unfair. It presents the person with a false choice and only the illusion of control.
You must identify an appropriate lawful basis and, if consent is difficult, another lawful basis may actually be more appropriate. In these cases, you should consider the alternatives.
When can we rely on contract?
The contract lawful basis applies where your use of personal information is objectively necessary to:
- deliver a contractual service to the person the decision is made about; or
- take steps at the person’s request prior to entering into a contract.
‘Necessary’ means that you must ensure your use of a person’s information is a targeted and proportionate step that’s integral to perform your contract with that particular person. If you can reasonably do what people want by using less information or using it in a less intrusive way, your use of personal information isn’t ‘necessary’ for the contract.
Example
A healthcare provider offers remote consultations. As part of the process to enter into a contract for this service, an automated system assesses a person’s health data to establish what issues they may have and what treatments may be appropriate.
The provider assesses that this automated triage is objectively necessary for the purposes of the contract with the person, so the contract lawful basis can apply.
As this is also based entirely or partly on special category data, the provider must also consider both an article 9 condition as well as the restrictions on using this data in article 22B.
You must consider a different lawful basis (eg legitimate interests) in the following situations where the contract lawful basis does not apply:
- You need to process a person’s details, but the contract is with someone else.
- You reuse personal information for your own business purposes, even if your standard contractual terms permit this or it is part of your funding model.
- You take pre-contractual steps on your own initiative, to meet other obligations, or at a third party’s request.
Example
An organisation is recruiting for a vacant position. The early stages of this process involve shortlisting, testing and selecting candidates for interview. As they expect a high volume of applications, the organisation wants to use ADM to automate these stages.
Initially, they think the contract lawful basis is appropriate for these pre-contractual stages. This is because at the end of the process, they intend to offer the successful candidate an employment contract. However, these stages don’t involve making a job offer to anyone and necessarily use the personal information of all the applicants. The contract lawful basis is about the specific person that’s party to the contract. The organisation doesn’t yet know who they will have an employment contract with. But they do know that they won’t be entering into a contract with the majority of the applicants.
Consent is also challenging due to the clear imbalance of power. Instead, the organisation considers the legitimate interests lawful basis for these stages of the process.
The contract lawful basis in article 6 is different to the contract condition about special category data in article 22B, so you must consider these separately. But there may be links between them. For example, if your article 6 lawful basis is contract, it is likely that your article 22B condition for ADM using special category data is contract. (See ‘When can we rely on the contract condition for ADM?’.)
When can we rely on public task?
This lawful basis can apply if you are either:
- carrying out a specific task in the public interest which is laid down by law; or
- exercising official authority laid down by law (eg a public body’s tasks, functions, duties or powers).
But you must ensure your use of personal information in ADM is necessary for these purposes. If you can reasonably perform your tasks or exercise your powers in a less intrusive way, this lawful basis doesn’t apply.
The public task lawful basis might be appropriate for the ADM that public authorities carry out, depending on the circumstances.
Example
A public authority wants to use personal information for ADM. It recognises that its ability to rely on certain lawful bases is limited. For example, the UK GDPR says that:
- consent isn’t valid where there is a clear imbalance of power; and
- legitimate interests can’t apply to a public authority performing its tasks.
Instead, as the processing relates to its tasks, functions or powers, the public authority relies on the public task lawful basis. As part of this, it:
- identifies the relevant task, function or power (including its basis in common law or statute); and
- assesses that there is no other reasonable or less intrusive means to achieve this purpose other than by using ADM.
The public authority goes on to include the relevant transparency requirements and safeguards.
When can we rely on legitimate interests?
Legitimate interests is the most flexible lawful basis. It’s not focused on a particular purpose, so it gives you more scope to potentially rely on it in many different circumstances.
But it also places more responsibility on you to justify what you want to do and any impact this may have on people’s rights and interests. If the impact is disproportionate, legitimate interests may not be suitable.
ADM inherently has an impact on people, but this doesn’t rule out using legitimate interests as a lawful basis.
There are three elements to legitimate interests. We call this the three-part test. You must:
- identify a legitimate interest (the purpose test);
- show that the processing is necessary to achieve it (the necessity test); and
- balance it against the person’s interests, rights and freedoms (the balancing test).
A wide range of interests can be legitimate, which is one reason why this basis is so flexible. The interests can be your own or those of third parties. They can be commercial or societal interests. But the key is that, before you start processing, you must assess the impact of your processing on people and show that there is a compelling benefit to it.
Example
An organisation in the financial services sector uses ADM for the purposes of preventing or detecting fraud.
This involves ADM using personal information from a range of sources, including credit reference agencies, bank accounts, online marketplaces and social media.
The organisation can’t use the recognised legitimate interest lawful basis for this. Although preventing and detecting fraud is part of the pre-approved recognised legitimate interest purposes, the UK GDPR doesn’t allow ADM to be made entirely or partly on this lawful basis.
The UK GDPR does say that preventing fraud may be a legitimate interest. For example, it’s in the interests of the organisation, its customers and the public in general to ensure fraud is prevented and detected.
This means the legitimate interests lawful basis is more likely to apply. The organisation then addresses the three-part test.
Identifying a legitimate interest doesn’t mean that this lawful basis automatically applies. This is only the first step of the three-part test. You must still demonstrate that the processing is necessary. And when you get to the balancing test, you should consider things like:
- the level of detail involved in any profiling you carry out;
- the comprehensiveness of any profiles you create;
- the impact on people, particularly any significant decisions you make about them;
- the future use or combination of the personal information; and
- the measures you put in place to mitigate risks and ensure fairness, non-discrimination and accuracy.
The outcome of your balancing test may also depend on how you intend to carry out the ADM. For example, it may be more challenging to justify using legitimate interests for intrusive or invisible profiling and tracking practices (eg marketing or advertising purposes involving tracking people across multiple online services, devices or locations).
To complete the three-part test, you should carry out a legitimate interests assessment (LIA). An LIA is a light-touch risk assessment based on your specific context and circumstances. Using it will help you ensure your processing is lawful. Documenting your LIA will also help you demonstrate compliance with your accountability obligations. You could use our LIA template to do this.
Example
An organisation is recruiting for a vacant position. The early stages of this process involve shortlisting, testing and selecting candidates for interview. As they expect a high volume of applications, the organisation wants to use ADM to automate these stages.
After establishing that legitimate interests is the most appropriate lawful basis for these early stages, the organisation carries out an LIA.
They consider that using personal information as part of a recruitment process is a legitimate purpose.
They assess whether ADM is necessary to achieve this purpose. They expect that a high volume of applications will take significant time and resource to look at manually. They decide ADM can be a reasonable way of carrying out the early stages, such as shortlisting and selecting for interview. It might not only speed this up, but also help to ensure a consistent approach to all the applicants, giving benefits to both them and the organisation.
They consider the balancing test. They look at the impact the use of ADM may have on the applicants, the risks it may pose to their rights, and the mitigations they can put in place. In particular, they consider how they ensure recruitment tools manage risks of bias.
As part of this, they take into account, for example:
- the nature of the personal information they want to use;
- the applicants' reasonable expectations;
- the likely impact of the processing; and
- what safeguards they can put in place to mitigate negative impacts.
This includes how they will:
- tell people about the use of ADM in these stages of the recruitment process;
- tell any eventual applicant about the solely automated significant decisions they take about them;
- provide this information in ways that enable applicants to understand how these decisions are made and how they can exercise their rights (in particular, those they have under the article 22C safeguards);
- train their staff to help people do this; and
- implement appropriate technical and organisational measures to ensure their ADM is fair.
As the LIA identifies potential high risks to people’s rights and freedoms, the organisation builds on and adapts it into its DPIA.
What about the other lawful bases?
Other lawful bases may be available, but only in specific circumstances. These are legal obligation and vital interests.
Remember, the UK GDPR doesn’t allow you to use the recognised legitimate interest lawful basis for ADM.
Legal obligation
This lawful basis is likely to apply where you are obliged to process personal information to comply with the law. For example, there may be situations where you have a legal obligation to carry out profiling, such as to prevent money laundering.
But it only applies where your use of personal information for ADM is:
- a reasonable and proportionate way of achieving compliance with the obligation; and
- limited to what’s required to do so.
There doesn’t have to be a specific provision in another law that requires you to carry out ADM. But you must:
- ensure your overall purpose is to comply with a sufficiently clear legal obligation with a basis in either statute or common law; and
- demonstrate that ADM is a reasonable and proportionate way of complying.
You should identify the obligation in question. For example, by referring to a specific legal provision (if there is one), or an appropriate source of guidance that sets it out clearly.
Vital interests
Vital interests only covers interests that are essential for someone’s life. Therefore, this lawful basis is very limited in its scope and generally only applies to matters of life and death.
Recognised legitimate interest
The UK GDPR says you can’t use recognised legitimate interest as your lawful basis if you want to undertake ADM about a person. This includes processing that is entirely or partially carried out using recognised legitimate interest.
Further reading
- Lawfulness, fairness and transparency
- A guide to lawful basis
- Lawful basis interactive guidance tool
- Legitimate interests assessment template (Word file)
- A guide to individual rights
- A guide to the data protection principles
- Special category data
For more information on the lawful bases for certain types of processing activities that may involve ADM, see the sections on lawfulness in:
- Guidance on AI and data protection
- Profiling tools for online safety
- Content moderation and data protection
- Employment practices and data protection: recruitment and selection
- Employment practices and data protection: monitoring workers
- Children and the UK GDPR
- Children’s code – the profiling standard and Annex C: Lawful basis for processing
- Recruitment rewired: an update on the ICO’s work on the fair and responsible use of automation in recruitment