How many of the legitimate processing criteria must be met for personal data to be processed legally under GDPR?

Under the General Data Protection Regulation (GDPR), personal data can be processed legally when at least one of the six legitimate processing criteria is satisfied. These criteria include obtaining the data subject's consent, fulfilling a contract, complying with a legal obligation, protecting vital interests, performing a task carried out in the public interest or exercising official authority, and pursuing legitimate interests of the data controller or a third party.

The emphasis on needing at least one criterion means that organizations have flexibility in selecting the appropriate legal basis for their data processing activities. For instance, if an organization obtains consent from individuals to process their data, they can legally proceed without needing to consider other criteria. This grants organizations the autonomy to choose the most suitable basis based on their specific context and purpose for processing.

This principle is foundational to GDPR’s requirements, ensuring that the regulation is practical and can accommodate a variety of data processing needs while still protecting individuals' rights.