GDPR4All
Sign inFree Assessment

The Six Lawful Bases

A plain-language guide to the six lawful bases for processing personal data under Article 6

7 min readUpdated 26 February 2026

Every time your organisation processes personal data, you need a lawful basis for doing so. This is not optional. Article 6 of the GDPR states that processing is only lawful if at least one of six specific conditions applies. There is no default "we need it for business" justification — you must identify and document a concrete legal ground before the processing begins.

The Requirement for a Lawful Basis

Article 6(1) sets out six mutually exclusive bases. You must select the most appropriate one for each processing activity and record it in your Record of Processing Activities (ROPA). Choosing the right basis matters because it affects which rights data subjects can exercise and what obligations apply to you. You cannot swap bases after the fact to suit your convenience.

It is good practice to identify your lawful basis during the planning stage of any new project, product, or service that involves personal data.

The Six Bases Explained

1. Consent — Article 6(1)(a)

The data subject has given clear, affirmative agreement to the processing of their personal data for one or more specific purposes.

What "valid consent" requires:

  • Freely given — the individual must have a genuine choice. Consent bundled as a non-negotiable condition of a service is not freely given.
  • Specific — consent must relate to a defined purpose. Blanket consent for undefined future uses is invalid.
  • Informed — the individual must know who the controller is, what data is being processed, and why.
  • Unambiguous — there must be a clear affirmative action (opt-in tick box, written statement). Pre-ticked boxes and silence do not count.

Consent must also be as easy to withdraw as it is to give (Article 7(3)).

Practical example: A visitor to your website ticks an unchecked box labelled "I agree to receive your monthly newsletter" and enters their email address. This is valid consent for email marketing.

When consent works well: Marketing communications, cookie-based analytics, non-essential profiling, research participation.

When to avoid consent: Where there is a power imbalance (employer-employee relationships), where the processing is actually necessary for a contract, or where you would continue the processing regardless of whether consent is given.

2. Contract — Article 6(1)(b)

Processing is necessary for the performance of a contract to which the data subject is party, or to take steps at their request prior to entering into a contract.

The key word is "necessary." You cannot bundle unrelated processing into a contract and claim this basis. The processing must be genuinely required to fulfil the contractual obligation.

Practical example: A customer orders a product from your online shop. You process their name, address, and payment details to fulfil the order and arrange delivery. This processing is necessary for the contract.

When it works well: Delivering purchased goods or services, managing subscriptions, processing employment contracts, handling insurance claims.

3. Legal Obligation — Article 6(1)(c)

Processing is necessary to comply with a legal obligation to which the controller is subject. The obligation must be laid down by EU or member state law — contractual obligations do not count.

Practical example: Your organisation retains employee payroll data for the period required by national tax legislation. You share certain employee data with tax authorities as required by law. Both are processing under legal obligation.

Other common examples: Anti-money laundering checks, health and safety reporting, employment law record-keeping, statutory audit requirements.

4. Vital Interests — Article 6(1)(d)

Processing is necessary to protect the vital interests of the data subject or another natural person. In practice, this means protecting someone's life or physical integrity.

This basis is intentionally narrow and should only be relied upon in genuine life-or-death situations where no other lawful basis applies.

Practical example: An unconscious patient is brought into a hospital and their medical records are shared with emergency staff at another facility to guide treatment.

Important: If the data subject is capable of giving consent, you generally cannot rely on vital interests instead. This basis exists for emergencies where obtaining consent is impossible.

5. Public Task — Article 6(1)(e)

Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

This basis is primarily used by public authorities and bodies — government agencies, local councils, public universities, NHS trusts — but can also apply to private organisations carrying out public functions.

Practical example: A local authority processes residents' data to administer council tax, social services, or electoral registration.

Note: The public task must have a clear basis in law. Organisations relying on this basis should be able to point to the specific legal provision that assigns them the relevant function.

6. Legitimate Interests — Article 6(1)(f)

Processing is necessary for the legitimate interests pursued by the controller or a third party, except where those interests are overridden by the interests, rights, or freedoms of the data subject.

This is the most flexible basis but also the one that requires the most careful assessment. It is not available to public authorities in the performance of their tasks.

The three-part test (Legitimate Interest Assessment):

  1. Purpose test — identify the legitimate interest. Is it lawful, clearly articulated, and real (not speculative)?
  2. Necessity test — is the processing actually necessary to achieve that interest? Could you achieve the same goal with less data or in a less intrusive way?
  3. Balancing test — do the individual's interests, rights, or freedoms override your legitimate interest? Consider the nature of the data, the reasonable expectations of the data subject, the likely impact, and any safeguards you can put in place.

You must document this assessment (a Legitimate Interest Assessment, or LIA) and keep it on file.

Practical example: An online retailer implements fraud detection checks at checkout, analysing transaction patterns and device data to identify potentially fraudulent orders. The retailer has a legitimate interest in preventing fraud, the processing is necessary to achieve it, and the minimal impact on genuine customers does not override that interest.

Other common examples: Network and information security, internal administrative purposes within a corporate group, direct marketing to existing customers (subject to e-privacy rules).

How to Choose the Right Basis

Selecting the correct lawful basis is not always straightforward. Here are some guiding principles:

  • Start with the purpose. What are you trying to achieve? The purpose will often point naturally towards one or two candidate bases.
  • Consent is not always best. Many organisations default to consent, but it comes with ongoing management burdens (withdrawal rights, re-consent, record-keeping). If the processing is genuinely necessary for a contract or legal obligation, use that basis instead.
  • Legitimate interests is not a catch-all. It requires a documented balancing exercise. If the processing is intrusive, involves sensitive data, or targets vulnerable individuals, the balance may tip against you.
  • Document your reasoning. Whatever basis you choose, record it in your ROPA and be prepared to explain your rationale to data subjects and supervisory authorities.
  • One basis per purpose. Each distinct processing purpose should have its own identified lawful basis. A single activity may serve multiple purposes, each with a different basis.

Special Category Data — Article 9

If you are processing special category data (health, biometric, racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, sex life or sexual orientation), having a lawful basis under Article 6 is necessary but not sufficient.

You must also satisfy one of the conditions in Article 9(2), such as:

  • Explicit consent (a higher bar than ordinary consent — must be especially clear and specific).
  • Employment, social security, or social protection law obligations.
  • Substantial public interest (with a basis in law).
  • Healthcare purposes (by a health professional under a duty of confidentiality).
  • Archiving, research, or statistical purposes (with appropriate safeguards).

In practice, processing special category data always requires extra care, a documented justification under both Article 6 and Article 9, and often a Data Protection Impact Assessment.

Summary

Every processing activity requires a lawful basis. Choose carefully, document your reasoning, and remember that the basis you select has consequences for which data subject rights apply and how you must manage the processing throughout its lifecycle. When in doubt, conduct a thorough assessment and seek specialist advice before processing begins.

Related Articles

What Is the GDPR?

An overview of the General Data Protection Regulation — who it applies to and key definitions

6 min read· Updated 26 Feb 2026

The Accountability Principle

Article 5(2) accountability — what records to keep and how GDPR4All helps you demonstrate compliance

5 min read· Updated 26 Feb 2026

Records of Processing Activities (ROPA)

How to create, manage, and export your processing activity records under Article 30

7 min read· Updated 26 Feb 2026·Client AdminCompliance OfficerDPO

Was this article helpful?

Previous

What Is the GDPR?

Next

Data Subject Rights