Every processing activity under GDPR requires a lawful basis. Without one, the processing is unlawful — regardless of how benign the purpose, how careful the security measures, or how transparent the privacy notice. Article 6(1) sets out six lawful bases, and only one needs to apply for a given processing activity. Choosing the right one, however, is one of the most consequential decisions in building a GDPR compliance programme.
The choice of lawful basis is not a formality to be decided after processing has begun. It must be determined in advance, documented, and communicated to data subjects. And the consequences of each choice differ materially: different lawful bases trigger different data subject rights, different documentation requirements, and different limitations on what can be done with the data. An organisation that selects the wrong lawful basis — or that changes its stated basis after the fact — faces compliance failures that cannot easily be corrected without disrupting the processing activity entirely.
The Six Lawful Bases: An Overview
Article 6(1) lists the six lawful bases as: (a) consent; (b) contract; (c) legal obligation; (d) vital interests; (e) public task; and (f) legitimate interests. Each has specific conditions that must be met for the basis to be valid. Each creates a different relationship between the organisation and the data subjects whose data it processes. And each has different implications for the rights those data subjects can exercise.
A critical principle is that no lawful basis is inherently superior to others. The right basis is the one that genuinely reflects the relationship between the organisation and the data subject for the specific processing activity in question. Using consent as a basis when contract or legitimate interests would be more appropriate does not provide stronger protection — it creates unnecessary withdrawal risk and undermines the organisation’s ability to process data it legitimately needs. The appropriate basis must be selected for each processing activity individually.
Basis 1: Consent (Article 6(1)(a))
Consent under Article 6(1)(a) requires that the data subject has given consent to the processing of their personal data for one or more specific purposes. As discussed in Article 1.2, valid GDPR consent must be freely given, specific, informed, and unambiguous, demonstrated through a clear affirmative action.
Consent is the appropriate basis when the organisation is offering data subjects a genuine choice about whether their data is processed for a particular purpose — and when declining that processing has no adverse consequences for the data subject. Marketing communications, optional personalisation features, newsletter subscriptions, and analytics cookies are the paradigm cases.
The key risks with consent as a basis are the withdrawal right and the ongoing demonstrability requirement. Data subjects can withdraw consent at any time, as easily as they gave it, and the organisation must stop processing on that basis when consent is withdrawn. The organisation must also be able to demonstrate, for every individual whose data it processes on the basis of consent, that valid consent was obtained and has not been withdrawn. This requires robust consent management infrastructure — consent records, timestamps, version management for consent notices, and efficient withdrawal mechanisms.
| IMPORTANT | Consent is often chosen inappropriately as a ‘safe’ basis when other bases are more suitable. If an organisation genuinely needs to process data — for a contract, to comply with law, or in its legitimate interests — using consent as the basis creates an illusory choice that undermines both the consent’s validity and the organisation’s ability to process data it legitimately requires. Consent should be the basis of last resort, not first choice. |
Basis 2: Contract (Article 6(1)(b))
Processing is lawful where it is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract. This basis applies where the processing is genuinely required to deliver what the data subject has requested or agreed to.
The necessity test is important here. Processing is necessary for a contract if the contract cannot be performed without it — not merely if it would be convenient or helpful to perform it. An e-commerce company needs delivery address data to fulfil an order: that is necessary. Retaining that address for future marketing purposes is not necessary for the contract — a different basis is needed for the retention beyond fulfillment.
Contract is the right basis for: processing delivery information to fulfil an order; processing payment details to charge for a service; processing account credentials to provide platform access; processing customer communications in the context of a service relationship. Pre-contractual processing — responding to a quote request, evaluating a job application — is covered where the steps are taken at the request of the data subject.
| KEY IDEA | The contract basis applies only where the data subject is themselves party to the contract. Processing data about employees on the basis of an employment contract is valid. Processing data about the employees’ family members on that basis is not — those individuals are not party to the employment contract. |
Basis 3: Legal Obligation (Article 6(1)(c))
Processing is lawful where it is necessary for compliance with a legal obligation to which the controller is subject. This basis applies where a law, regulation, or binding legal instrument requires the organisation to process personal data. The obligation must be based on EU or EU member state law.
Common examples include: processing employee tax and social security records as required by employment and tax law; retaining transaction records as required by anti-money laundering regulations; disclosing data to law enforcement or regulatory authorities as required by a statutory notice or court order; reporting notifiable diseases to public health authorities as required by healthcare regulations.
The legal obligation basis does not apply to obligations imposed by contracts between private parties — only to obligations imposed by law. And the processing must be necessary for compliance with the obligation — the legal obligation fixes both the fact of processing and its scope. An organisation cannot use the legal obligation basis to justify processing that goes beyond what the legal obligation actually requires.
Basis 4: Vital Interests (Article 6(1)(d))
Processing is lawful where it is necessary to protect the vital interests of the data subject or of another natural person. This basis is intended for situations where processing is necessary to protect someone’s life or prevent serious harm, and no other basis is available because the data subject is incapacitated or otherwise unable to consent.
Vital interests is a narrow basis that rarely applies in commercial contexts. Its typical application is in emergency medical situations: a hospital processing a patient’s medical data when the patient is unconscious and cannot consent, or a disaster response organisation processing location data to coordinate rescue operations. GDPR’s Recital 46 makes clear that processing for vital interests should in principle be carried out only where other lawful bases cannot be relied upon.
Basis 5: Public Task (Article 6(1)(e))
Processing is lawful where it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. This basis is primarily used by public authorities and bodies exercising governmental or regulatory functions. The task must be laid down by EU or member state law.
Public task may also apply to private organisations that carry out tasks genuinely in the public interest — research institutions, regulatory bodies, public interest journalism in some contexts. But for most commercial organisations, public task is not an available basis. The nature of the task, not the nature of the organisation, is the decisive factor.
Basis 6: Legitimate Interests (Article 6(1)(f))
Legitimate interests is the most flexible basis and the one that requires the most careful analysis. Processing is lawful where it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
The legitimate interests basis requires a three-part balancing assessment known as the Legitimate Interests Assessment (LIA): (1) identify the legitimate interest being pursued; (2) assess whether the processing is necessary for that interest; (3) balance the interest against the data subject’s interests, rights, and freedoms, considering the impact on the data subject and whether they would reasonably expect the processing.
Legitimate interests covers a broad range of commercial and operational processing: fraud prevention and security monitoring; direct marketing to existing customers for similar products (the ‘soft opt-in’ rule); intra-group data sharing for administrative purposes; network and information security; processing to prevent and detect crime; processing necessary to make legal claims.
| KEY IDEA | Legitimate interests is not a catch-all for processing that doesn’t fit other bases. The balancing test is genuine — there will be processing activities where the data subject’s interests override the controller’s. The LIA must be documented in advance, not constructed retrospectively when a data subject exercises their rights or a DPA enquires about the basis for processing. |
The legitimate interests basis is not available to public authorities for the performance of their tasks. And it requires particular care where the data subjects are children or where the processing has a significant impact on them. The more significant the impact of the processing on individuals, the stronger the legitimate interest must be, and the more clearly the necessity and balance must be demonstrated.
How Lawful Basis Affects Data Subject Rights
The choice of lawful basis directly determines which rights data subjects can exercise in relation to the processing. This is one of the most important practical consequences of basis selection, and it is frequently overlooked by organisations that treat lawful basis documentation as a compliance formality.
The right to erasure (Article 17) is available where the basis was consent and consent is withdrawn; where the basis was legitimate interests and the data subject objects and the controller cannot demonstrate compelling grounds to override; or where the processing was unlawful. It does not apply where processing is necessary for legal compliance or the establishment, exercise, or defence of legal claims.
The right to object (Article 21) applies where the basis is legitimate interests or public task. Data subjects can object to processing on these bases, and the controller must stop unless it can demonstrate compelling legitimate grounds that override the data subject’s interests. The right to object does not apply to processing on the basis of consent, contract, or legal obligation.
The right to data portability (Article 20) applies only where the basis is consent or contract, and only for processing carried out by automated means. An organisation that processes personal data on the basis of legitimate interests cannot be required to provide data in a portable format.
| IMPORTANT | Changing the stated lawful basis after a data subject has exercised rights on the basis of the original stated basis is a compliance failure. Recital 39 and Article 5’s purpose limitation principle require that the basis be determined before processing begins. Organisations that initially claim one basis and then switch to another when the first becomes inconvenient face regulatory scrutiny and potential fines. |
Documentation and Transparency Requirements
Every processing activity must have its lawful basis documented in the Record of Processing Activities (RoPA) required by Article 30. The lawful basis must also be communicated to data subjects in the privacy notice provided at the point of collection under Articles 13 and 14. The combination of internal documentation and external transparency is what satisfies the accountability principle.
Where the basis is legitimate interests, the LIA should be documented separately — capturing the interests identified, the necessity analysis, and the balancing assessment — so that it can be produced in response to a data subject rights request or a supervisory authority enquiry. The EDPB’s guidelines on legitimate interests provide the methodology; internal LIA templates should follow that structure.
Where the basis is consent, the consent mechanism, the consent notice text, the record of individual consents (including timestamps, version of notice shown, and withdrawal records), and the withdrawal mechanism must all be documented and retrievable. Consent management platform logs should be retained for the duration of the processing activity and for a reasonable period after, to demonstrate compliance with historic processing.
Special Rules for Special Category Data
For special categories of personal data under Article 9 (health, biometric, genetic, racial or ethnic origin, political opinions, religious beliefs, trade union membership, sexual orientation), an Article 6 lawful basis alone is not sufficient. A separate condition under Article 9(2) must also be satisfied. The Article 9(2) conditions largely mirror the Article 6 bases but are more demanding — explicit consent rather than ordinary consent, for example — and some categories of processing require additional member state law authorisation.
For criminal convictions and offences data under Article 10, processing must be either under official authority or authorised by EU or member state law. This is a further restriction on top of the Article 6 and Article 9 requirements, applicable to a specific and sensitive category of personal data.
A Decision Framework for Lawful Basis Selection
When assessing the lawful basis for a new or existing processing activity, the following sequence provides a structured approach. First, is there a legal obligation that requires this processing? If yes, legal obligation is the basis and the analysis ends. Second, is the data subject a party to a contract that the processing is necessary to perform? If yes, contract is the basis. Third, is there explicit consent from the data subject that meets all the GDPR conditions? If yes, and if consent is genuinely the most appropriate basis, consent can be used.
Fourth, does the processing protect the vital interests of the data subject or another person where no other basis is available? If yes, vital interests applies. Fifth, is the processing carried out by a public authority in the exercise of official functions? If yes, public task applies. Finally, does the organisation have a legitimate interest in the processing, is the processing necessary for that interest, and do the data subject’s interests and rights not override that legitimate interest? If all three are satisfied, legitimate interests is available — provided the LIA is documented.
| BITLION INSIGHT | In practice, most commercial processing activities use contract (for processing necessary to deliver services), legal obligation (for regulatory compliance), or legitimate interests (for fraud prevention, security, analytics, and similar purposes). Consent is appropriate for optional processing where a genuine choice exists. Building a RoPA that maps each processing activity to its correct lawful basis is the foundation of a defensible GDPR compliance programme. |