Lawful Basis for Processing
Article 6(1) of the GDPR provides six lawful bases for processing personal data. At least one must apply before any processing can begin. The lawful basis must be determined and documented before processing starts -- it cannot be changed retrospectively. The choice of lawful basis affects which rights are available to data subjects.
Decision Flowchart: Selecting a Lawful Basis
- Is the processing required by EU or Member State law? If yes, use Legal Obligation (Art. 6(1)(c)).
- Is the processing necessary to perform a contract with the data subject, or to take pre-contractual steps at their request? If yes, use Contract (Art. 6(1)(b)).
- Is the processing carried out by a public authority performing an official function? If yes, use Public Task (Art. 6(1)(e)).
- Is there an immediate threat to life? If yes, use Vital Interests (Art. 6(1)(d)).
- Does the controller or a third party have a legitimate interest that is not overridden by the data subject's rights? If yes after conducting a balancing test, use Legitimate Interests (Art. 6(1)(f)).
- None of the above apply? Obtain freely given, specific, informed and unambiguous Consent (Art. 6(1)(a)).
Note: This is a simplified decision aid. Multiple bases may be available. Select the most appropriate basis considering the specific circumstances, the nature of the data, and the relationship with the data subject.
Lawful Bases Comparison
| # | Lawful Basis | Article | Description | Typical Use Cases | Documentation Requirements |
|---|---|---|---|---|---|
| 1 | Consent | Art. 6(1)(a) | The data subject has given consent to the processing of their personal data for one or more specific purposes. Consent must be freely given, specific, informed and unambiguous (Art. 4(11)). For children under 16 (or lower age set by Member State, minimum 13), parental consent is required for information society services (Art. 8). | Marketing emails, newsletter subscriptions, cookie tracking, non-essential analytics, sharing data with third parties for purposes beyond the original contract, research participation. | Record of when and how consent was obtained, what information was provided, and the specific purposes consented to. Consent must be demonstrable (Art. 7(1)). Must be as easy to withdraw as to give (Art. 7(3)). Pre-ticked boxes do not constitute consent (Recital 32). |
| 2 | Performance of a Contract | Art. 6(1)(b) | Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. | Processing payment details to fulfil an order, delivering a purchased product to a shipping address, verifying identity for account creation when requested by the user, providing a requested service. | Document the contract or pre-contractual steps, and demonstrate that the processing is genuinely necessary for contract performance -- not merely useful or mentioned in the contract terms. The EDPB has clarified that this basis cannot be used to justify processing that is not objectively necessary for the contract (EDPB Guidelines 2/2019). |
| 3 | Legal Obligation | Art. 6(1)(c) | Processing is necessary for compliance with a legal obligation to which the controller is subject. The legal obligation must be laid down by EU or Member State law (Art. 6(3)). | Tax reporting and record-keeping, employment law obligations (payroll, social security), anti-money laundering checks, mandatory breach notification, regulatory reporting, court orders. | Identify the specific legal obligation by citing the relevant EU or Member State law. Document which processing activities are necessary to comply with that obligation. The legal basis must be sufficiently clear and precise, and its application predictable (Recital 41). |
| 4 | Vital Interests | Art. 6(1)(d) | Processing is necessary in order to protect the vital interests of the data subject or of another natural person. This basis is intended for matters of life and death. | Emergency medical treatment where the patient cannot give consent, humanitarian emergencies, disaster response, processing health data in epidemic situations where the data subject is physically or legally incapable of giving consent. | Document the specific circumstances that necessitated reliance on vital interests, including why no other lawful basis was available. This basis should be limited to processing that clearly cannot be based on another lawful basis (Recital 46). It is narrowly construed and rarely applicable outside emergency scenarios. |
| 5 | Public Task | Art. 6(1)(e) | Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The basis for this processing must be laid down by EU or Member State law (Art. 6(3)). | Government services delivery, public health monitoring, tax administration, law enforcement activities, court administration, statutory regulatory functions, public education provision. | Identify the specific law that establishes the public task or official authority. Document how the processing is necessary for that task. Where relying on this basis, data subjects retain the right to object under Article 21(1), requiring the controller to demonstrate compelling legitimate grounds. |
| 6 | Legitimate Interests | Art. 6(1)(f) | Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, in particular where the data subject is a child. | Fraud prevention, network and information security, direct marketing to existing customers (soft opt-in), intra-group transfers for internal administrative purposes, processing for ensuring the security of a service. | Conduct and document a Legitimate Interest Assessment (LIA) with three tests: (1) Purpose test -- identify the legitimate interest; (2) Necessity test -- demonstrate the processing is necessary for that interest; (3) Balancing test -- weigh the interest against the impact on data subjects. Note: this basis is not available to public authorities in the performance of their tasks (Art. 6(1) final sentence). |
Special Categories of Data (Article 9)
Processing of special categories of personal data (racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for identification, health data, sex life, or sexual orientation) is prohibited under Article 9(1) unless one of the conditions in Article 9(2) is met. Having a lawful basis under Article 6 is necessary but not sufficient -- an Article 9(2) condition must also be satisfied. The most common conditions are explicit consent (Art. 9(2)(a)) and substantial public interest with a basis in law (Art. 9(2)(g)).
Disclaimer
This page provides general information about GDPR lawful bases and does not constitute legal advice. Consult qualified legal counsel for guidance specific to your organisation.