GDPR Six Lawful Bases for Processing: Choose Your Legal Foundation (Article 6)
What you need to know: GDPR Six Lawful Bases for Processing: Choose Your Legal Foundation (Article 6)
GDPR Article 6 requires you to have at least one lawful basis before processing personal data. There are six: consent, contract, legal obligation, vital interests, public task, and legitimate interests. This guide explains each, with examples and a decision tree.
GDPR Article 6 requires you to identify at least one lawful basis before processing personal data. There are six options: consent, contract, legal obligation, vital interests, public task, and legitimate interests. Choosing incorrectly β or failing to document your choice β can result in fines of up to β¬20 million or 4% of global annual turnover, and a mandatory requirement to delete the data.
This guide explains each basis, when it applies, and how to document your choice.
The Law: GDPR Article 6(1)
"Processing shall be lawful only if and to the extent that at least one of the following applies: (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (c) processing is necessary for compliance with a legal obligation to which the controller is subject; (d) processing is necessary in order to protect the vital interests of the data subject or of another natural person; (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child."
Critical rule: You must identify one lawful basis per processing activity before you begin. You cannot apply multiple bases to the same processing activity, switch bases retrospectively, or rely on a basis you have not documented.
The Six Lawful Bases
Basis 1: Consent (Article 6(1)(a))
Consent is the lawful basis where the individual has given a clear, affirmative agreement to you processing their personal data for a specific purpose.
When it applies:
- Marketing emails where you have no prior business relationship with the individual
- Optional analytics tracking beyond what is strictly necessary for the service
- Sharing personal data with third-party partners for their own marketing purposes
- Any processing that individuals would not reasonably expect from your service and that no other basis covers
Requirements under Article 7:
Consent must be:
- Freely given β individuals must not be penalised for refusing. You cannot make consent a condition of access to a service unless the processing is strictly necessary for that service.
- Specific β one consent for each distinct purpose. You cannot bundle unrelated purposes into a single checkbox.
- Informed β the individual must understand what they are consenting to, for what purpose, and with whom the data will be shared.
- Unambiguous β a clear affirmative act is required. Pre-ticked checkboxes, silence, and inaction do not constitute valid consent.
Valid consent examples:
- β "I would like to receive the EuroComply newsletter" (unchecked by default, added by user)
- β Separate checkboxes for "marketing emails" and "analytics tracking"
- β Double opt-in confirmation email for mailing list subscriptions
Invalid consent examples:
- β Pre-ticked checkbox: "Tick here to opt out of marketing" (active opt-out is not consent)
- β "By creating an account, you consent to us using your data for any purpose"
- β Consent buried in terms of service that individuals must accept to use the service
- β "If we don't hear from you by Friday, we'll assume you consent"
Withdrawal: Consent can be withdrawn at any time, and withdrawal must be as easy as giving consent. If consent is withdrawn and it is your only lawful basis, you must stop processing and β unless another basis applies β delete the data.
Basis 2: Contract (Article 6(1)(b))
Processing is lawful where it is necessary for the performance of a contract to which the individual is a party, or to take pre-contractual steps at their request.
When it applies:
- Processing a customer's name and delivery address to fulfil a purchase order
- Processing payment details to charge for a service the customer has subscribed to
- Processing an applicant's job history to evaluate their application (at their request)
- Processing a prospective borrower's financial information to assess a loan application they submitted
The necessity test: The processing must be genuinely necessary to fulfil the contract. "Useful" or "convenient" is not sufficient β if you could fulfil the contract without the processing, this basis does not apply.
What contract basis does not cover:
- Marketing to the customer beyond what is necessary to fulfil the agreement
- Analytics and profiling beyond what the service requires
- Sharing customer data with third parties for their own commercial purposes
These secondary purposes require their own lawful basis (consent or legitimate interests).
Documentation: Keep the contract or order confirmation, and record which specific data processing activities are necessary for which contractual obligation.
Basis 3: Legal Obligation (Article 6(1)(c))
Processing is lawful where it is required to comply with a legal obligation under EU or Member State law.
When it applies:
- Retaining invoices and VAT records for 7 years under EU tax law
- Verifying customer identity (KYC) under Anti-Money Laundering Directive requirements
- Maintaining payroll records under employment law
- Disclosing data to law enforcement pursuant to a court order
- Retaining records of accidents at work under health and safety regulations
What it requires: The obligation must be imposed by law β not a contractual obligation you have agreed to, not an industry best practice, and not a customer request. The specific law must be identifiable.
Documentation: Cite the specific regulation, directive, or statute that creates the obligation. Note the retention period it mandates. When the legal obligation ends or the retention period expires, delete the data.
Important: You cannot use legal obligation as a basis to retain data "just in case" you are later required to produce it. The obligation must be current and identifiable.
Basis 4: Vital Interests (Article 6(1)(d))
Processing is lawful where it is necessary to protect the vital interests of the individual or another natural person.
When it applies:
- Processing a patient's medical history to provide emergency treatment when the patient is unconscious and unable to consent
- Disclosing an individual's location to emergency services after a distress call
- Contacting customers to warn them of an imminent health risk linked to a product recall
- Sharing information about a missing person with law enforcement
What "vital interests" means: This basis is limited to situations involving life, death, or physical safety. It does not apply to financial interests, emotional wellbeing (absent serious physical risk), or business continuity.
The consent-first rule: Where the individual is capable of giving consent, you should seek consent rather than relying on vital interests. This basis is primarily for situations where consent is physically impossible to obtain.
Documentation: Record the vital interest at stake, why processing was necessary, and why it was not possible to use a less intrusive approach.
Basis 5: Public Task (Article 6(1)(e))
Processing is lawful where it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.
When it applies:
- A government tax authority processing taxpayers' financial data to administer tax law
- A public health authority processing patient data to monitor disease outbreaks
- A university processing student records to issue degrees
- A regulator processing financial data to supervise compliance with financial services law
What it does not cover:
Private companies do not generally qualify under this basis, even if their activities benefit the public. A utility company providing essential services, a private hospital, or an NGO conducting research must use another basis β typically legitimate interests or consent β unless they are exercising specific official authority delegated by law.
Documentation: Cite the specific statutory function or official authority that supports the processing. Conduct a DPIA (Data Protection Impact Assessment) β this basis often involves large-scale or sensitive processing.
Basis 6: Legitimate Interests (Article 6(1)(f))
Processing is lawful where it is necessary for the purposes of a legitimate interest pursued by you or a third party, except where that interest is overridden by the individual's fundamental rights and freedoms.
This is the most flexible basis, but it requires a documented balancing test.
When it applies:
- Fraud prevention: analysing transaction patterns to detect fraudulent activity
- Network and information security: monitoring systems to detect intrusions and data breaches
- Direct marketing: contacting existing customers about related products or services
- Internal administration: processing employee data for HR, payroll, and workplace management
- Legal defence: retaining data needed to defend against potential legal claims
- Analytics: processing usage data to improve your products and services
The three-part test (Legitimate Interests Assessment):
Before relying on legitimate interests, you must conduct and document a Legitimate Interests Assessment (LIA):
- Purpose test β Is your interest legitimate? (Commercial, operational, and social purposes can all qualify)
- Necessity test β Is the processing necessary to achieve that purpose? Could you achieve it with less data or less invasive methods?
- Balancing test β Does your interest override the individual's privacy rights? Consider: the nature of the data, the individual's reasonable expectations, the potential harm to them, and whether any mitigations reduce the impact
The balancing test in practice:
| Processing Activity | Your Interest | Individual's Expectation | Harm | Outcome | |---------------------|---------------|--------------------------|------|---------| | Email marketing to existing customers about similar products | Generate revenue | Reasonable β they purchased from you | Low β easy to unsubscribe | Legitimate interests applies | | Selling customer data to unrelated third parties for their marketing | Monetise data | Not reasonable β unexpected sharing | High β loss of control over personal data | Legitimate interests overridden | | Fraud detection by analysing transaction patterns | Prevent loss and protect customers | Reasonable β expected from a payment processor | None or beneficial | Legitimate interests applies | | Processing employee communications to monitor productivity | Operational efficiency | Reduced expectation in professional context | Moderate β chilling effect on communication | Requires careful balancing; likely requires a DPIA |
Documentation: Prepare a written LIA that addresses all three parts of the test. If an individual objects to your processing under Article 21, you must demonstrate that your legitimate interests override their objection β without a documented LIA, you cannot do this.
Not available for: Public authorities carrying out their tasks (use public task basis), or where the processing involves children's data (heightened protection applies).
Sensitive Data: The Additional Layer
Where processing involves special categories of personal data under Article 9 β including health data, genetic data, biometric data, racial or ethnic origin, political opinions, religious beliefs, trade union membership, sexual orientation β a lawful basis under Article 6 is necessary but not sufficient.
You also need to satisfy one of the conditions in Article 9(2), which includes:
- Explicit consent (note: this is a higher standard than standard consent)
- Employment and social security law obligations
- Vital interests where the individual cannot consent
- Processing by not-for-profit bodies in the course of their legitimate activities
- Data manifestly made public by the individual
- Legal claims or court proceedings
- Substantial public interest under Member State law
- Medical diagnosis and healthcare
- Public health interests
- Archiving, research, or statistical purposes
Decision Tree: Choosing Your Lawful Basis
Are you fulfilling a contract to which the individual is a party,
or taking pre-contractual steps they requested?
β YES: Use Contract (Article 6(1)(b))
β NO: Continue
Is there a specific legal obligation (EU law, national law,
court order) that requires you to process this data?
β YES: Use Legal Obligation (Article 6(1)(c))
β NO: Continue
Is someone's life or physical safety at immediate risk, and
is it impossible or impractical to obtain consent?
β YES: Use Vital Interests (Article 6(1)(d))
β NO: Continue
Are you a public authority exercising statutory functions or
official authority assigned by law?
β YES: Use Public Task (Article 6(1)(e))
β NO: Continue
Do you have a legitimate business, operational, or social
interest in the processing?
β YES: Conduct a Legitimate Interests Assessment (LIA)
β Does your interest override the individual's rights?
β YES: Use Legitimate Interests (Article 6(1)(f))
β NO: Consider whether to modify the processing to reduce impact
β NO: Continue
Can you obtain the individual's free, specific, informed, and
unambiguous consent?
β YES: Use Consent (Article 6(1)(a))
β NO: Do not process the data β you have no lawful basis
Documentation Checklist
For each processing activity in your Records of Processing Activities (ROPA):
- Purpose: What is the specific purpose of this processing?
- Lawful basis: Which Article 6 basis? Cite the specific letter (a)β(f).
- Necessity: Why is this specific data necessary to achieve the purpose?
- Data categories: What specific categories of personal data are involved?
- Recipients: Who has access to or receives this data?
- Retention period: How long is the data kept and why?
- Rights mechanism: How can individuals exercise their rights?
- Consent records: If consent β how and when was it obtained? Keep the proof.
- Contract reference: If contract β which contract or order justifies each field?
- Legal citation: If legal obligation β which specific law or regulation?
- LIA document: If legitimate interests β attach the completed three-part assessment.
Common Mistakes
Applying multiple bases to the same processing activity. Pick one and document it. Switching bases retrospectively (e.g., from consent to legitimate interests when an individual withdraws their consent) is not permitted.
Assuming contract covers secondary uses. Contract covers only what is genuinely necessary to deliver the contracted service. Marketing, cross-sell analytics, and profiling require separate bases.
Relying on legitimate interests without conducting an LIA. If challenged by an individual (Article 21 objection) or a DPA, you must produce the documented LIA. An undocumented claim of legitimate interests will not withstand scrutiny.
Using consent when a legal obligation already applies. If a law requires you to retain data, you do not need consent and should not ask for it. Framing a legal obligation as optional undermines your compliance posture.
Failing to account for Article 9 when processing sensitive data. A lawful basis under Article 6 alone is insufficient for health data, genetic data, biometric data, or the other categories listed in Article 9.
Ignoring individual objections. When an individual objects to processing on legitimate interests grounds (Article 21), you must stop processing unless you can demonstrate overriding legitimate grounds. Document your response to every objection.
Key Takeaways
- One lawful basis per processing purpose. Identify it before you begin and document it.
- Consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes and bundled purposes are invalid.
- Contract covers only processing that is genuinely necessary to fulfil the agreement β not marketing or analytics.
- Legal obligation requires an identifiable legal provision that mandates the processing.
- Vital interests is narrow: life, death, or physical safety, typically where consent is impossible.
- Public task is limited to public authorities exercising statutory functions.
- Legitimate interests is flexible but requires a documented three-part assessment.
- Sensitive data requires both a lawful basis (Article 6) and a condition under Article 9(2).
- If you cannot identify a lawful basis, you must not process the data. Unlawful processing must be stopped and the data deleted.
For informational purposes only. This article does not constitute legal advice. Consult your Data Protection Officer, legal counsel, or a GDPR compliance specialist for advice specific to your organisation.
Key takeaways: GDPR Six Lawful Bases for Processing: Choose Your Legal Foundation (Article 6)
This article covers: The Law: GDPR Article 6(1), The Six Lawful Bases, Sensitive Data: The Additional Layer.
- The Law: GDPR Article 6(1)
- The Six Lawful Bases
- Sensitive Data: The Additional Layer
- Decision Tree: Choosing Your Lawful Basis
- Documentation Checklist
EuroComply Editorial Team
EU regulatory compliance specialists covering the AI Act, GDPR, NIS2, and related legislation. Content reviewed against official EU regulation texts and enforcement guidance.
For informational purposes only. Consult qualified legal counsel.
Get the weekly EU compliance briefing β 2 minutes, every Thursday.
Related Regulation
GDPR
Official EuroComply guide to GDPR