The General Data Protection Regulation (GDPR) requires that a data controller establishes a lawful basis for each and every personal data processing activity it performs directly, or indirectly via any data processors.
There are six lawful bases available and each requires that processing is 'necessary'. If the same outcome can be achieved without processing the personal data then to process it would be unlawful. The lawful bases are:
The processing of special category data (sensitive personal data) or personal data relating to a criminal conviction or offence requires both a lawful basis for general processing and an additional condition.