Legal Obligation is one of the six lawful bases under GDPR Article 6(1)(c). Organizations can process personal data when processing is necessary to comply with a legal obligation imposed by EU or member state law.
Examples include processing employee data for tax compliance, healthcare data for public health requirements, or financial data for anti-money laundering regulations. However, the processing must be necessary and proportionate to the legal obligation.