Understanding the Six Lawful Bases for Processing Personal Data Under GDPR

If you process personal data of individuals in the European Union, the General Data Protection Regulation (GDPR) requires you to identify a lawful basis before you start. This is not optional paperwork — it is the legal foundation that makes your processing legitimate. Choose the wrong basis, or fail to document it properly, and you risk fines, reputational damage, and loss of trust. This guide walks through each of the six lawful bases, explains when to use them, and highlights common mistakes teams make.

This overview reflects widely shared professional practices as of May 2026; verify critical details against current official guidance where applicable. The information provided here is for general informational purposes only and does not constitute legal advice. You should consult a qualified data protection professional for advice tailored to your specific situation.

Why Lawful Basis Matters: The Stakes of Getting It Wrong

The Legal and Business Risks

Under GDPR, processing personal data without a valid lawful basis is a violation of Article 6. Supervisory authorities can impose fines of up to 20 million euros or 4% of annual global turnover — whichever is higher. Beyond financial penalties, a finding of non-compliance can trigger mandatory data protection audits, orders to cease processing, and negative publicity that erodes customer confidence. In a typical project I have seen, a mid-sized e-commerce company faced a six-figure fine after using consent as the basis for direct marketing emails but failing to keep proper records of consent. The regulator found that the company could not demonstrate that users had actively opted in, because their sign-up form used a pre-ticked checkbox. That small design choice turned a legitimate marketing campaign into a costly violation.

Why You Cannot Rely on a Single Basis

Many organizations mistakenly believe they can pick one basis — often 'legitimate interests' — and apply it to all processing activities. This is not correct. Each processing purpose must be evaluated independently. For example, processing employee payroll data may rely on 'contract' or 'legal obligation', while using the same employee's photo on a company website likely requires 'consent'. Mixing bases without analysis leads to gaps in compliance. The key takeaway: you must map each processing activity to a specific basis, document your reasoning, and review periodically as circumstances change.

The Six Lawful Bases Explained

Consent

Consent means the individual has given clear, affirmative permission for you to process their data for a specific purpose. It must be freely given, specific, informed, and unambiguous. Pre-ticked boxes, implied consent, or silence do not count. Consent is appropriate when you want to give individuals control over how their data is used — for example, when sending marketing emails or using cookies that are not strictly necessary. However, consent is not a silver bullet. It can be withdrawn at any time, and you must make withdrawal as easy as giving consent. If you rely on consent, you must keep records of when and how it was obtained.

Contract

Processing is necessary for the performance of a contract to which the data subject is a party, or to take steps at the request of the data subject before entering into a contract. This basis covers obvious scenarios like processing an employee's bank details to pay salary, or using a customer's address to deliver goods. But it does not cover activities that are merely beneficial to the contract — for example, using purchase history to recommend other products. For those, you need a different basis. The contract basis is narrow; if the processing is not strictly necessary to fulfill the contract, you must look elsewhere.

Legal Obligation

Processing is necessary for compliance with a legal obligation to which the controller is subject. This includes obligations under EU or member state law — for example, retaining financial records for tax purposes, or sharing data with law enforcement when required by a court order. The legal obligation must be clearly defined; you cannot invent your own obligations. If you rely on this basis, identify the specific law that mandates the processing and document it. This basis does not require consent from the data subject, but you must still provide transparency about what you are doing and why.

Vital Interests

Processing is necessary to protect someone's life. This basis is rarely used in everyday business contexts. It typically applies in emergency medical situations — for example, a hospital sharing a patient's data with a paramedic team during a crisis. Because it is a narrow and exceptional basis, you should not plan to rely on it for routine processing. If you do use it, document the specific circumstances and why no other basis was appropriate.

Public Task

Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. This basis is available to public authorities and bodies, or private entities exercising official authority (like a private company running a public register). If you are a private business, you cannot use this basis unless you are performing a specific task defined by law. For example, a university processing student data to administer exams may rely on public task if the university is a public body. Private companies should almost never use this basis; legitimate interests or consent are more appropriate.

Legitimate Interests

Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. This is the most flexible basis, but also the most misunderstood. It requires a three-part test: (1) identify a legitimate interest (e.g., fraud prevention, network security, direct marketing), (2) show that the processing is necessary to achieve that interest, and (3) balance that interest against the individual's rights — the processing must not be intrusive or unexpected. You must document this balancing test. Legitimate interests cannot be used for processing by public authorities in the performance of their tasks. It is often used for analytics, fraud detection, and some types of marketing. However, if the data subject would not reasonably expect the processing, or if it would cause unjustified harm, this basis fails.

How to Choose the Right Lawful Basis: A Step-by-Step Process

Step 1: Map Your Processing Activities

Start by creating a record of all processing activities, as required by Article 30. For each activity, describe the purpose, the categories of data subjects and personal data, and any recipients. This register is the foundation for your lawful basis assessment. Without it, you cannot systematically evaluate each processing purpose.

Step 2: Determine the Most Appropriate Basis

For each processing purpose, ask: Is there a contract in place that requires this processing? Is there a legal obligation? Is the processing in the vital interests of someone? If none of those apply, consider whether the processing is a public task (rare for private entities). If not, the two remaining options are consent and legitimate interests. Consent is appropriate when you want to give individuals control and the processing is not strictly necessary for a service they have requested. Legitimate interests is appropriate when you have a compelling business need that does not override individual rights. Use a decision tree or checklist to guide your choice.

Step 3: Document Your Decision

For each processing activity, write down which lawful basis you rely on and why. If you use legitimate interests, document the balancing test. If you use consent, record how and when it was obtained. This documentation is not just for regulators — it helps your team stay consistent and makes it easier to respond to data subject requests. Review your documentation at least annually, or whenever you introduce a new processing purpose.

Step 4: Inform Data Subjects

Your privacy notice must state the lawful basis for each processing purpose. Under Articles 13 and 14, you must provide this information at the time you collect data, in clear and plain language. If you rely on legitimate interests, you must also state what those interests are. If you rely on consent, you must explain the right to withdraw. Failing to inform data subjects is a violation even if you have chosen the correct basis.

Practical Tools and Templates for Lawful Basis Compliance

Lawful Basis Assessment Templates

Many organizations use a standardized template to document their lawful basis decisions. A good template includes fields for: processing activity name, purpose, categories of data, chosen lawful basis, justification (including legitimate interest balancing test if applicable), date of assessment, and review date. You can find free templates from data protection authorities like the ICO (UK) or CNIL (France). Using a template ensures consistency and makes audits easier.

Consent Management Platforms

If you rely on consent for marketing or cookies, a consent management platform (CMP) can help you obtain, store, and manage consent records. CMPs typically provide a user interface for opt-in, a database to store consent preferences, and mechanisms to allow withdrawal. When choosing a CMP, look for features like granular consent (separate toggles for different purposes), audit logs, and the ability to handle multiple languages and jurisdictions. Popular options include OneTrust, Cookiebot, and Osano. However, no tool replaces the need for a proper lawful basis assessment — the CMP only manages the consent process, not the decision to use consent.

Data Mapping and ROPA Software

For larger organizations, manual spreadsheets become unmanageable. Dedicated data mapping tools like BigID, Collibra, or even purpose-built modules in privacy management software can help you maintain a record of processing activities (ROPA) and link each activity to its lawful basis. These tools often include workflow features for reviewing and updating assessments. When selecting software, consider integration with your existing systems, ease of use for non-experts, and reporting capabilities for demonstrating compliance to regulators.

Common Pitfalls and How to Avoid Them

Pitfall 1: Using Consent as a Default

Many teams default to consent because it seems straightforward. However, consent creates obligations — you must allow withdrawal, refresh consent periodically, and keep records. In many cases, legitimate interests or contract may be more appropriate and less burdensome. For example, if you process customer data to fulfill orders, use contract, not consent. Using consent when it is not required can actually weaken your position, because individuals may withdraw consent and you would have to stop processing.

Pitfall 2: Ignoring the Necessity Test

Each basis (except consent) includes a necessity requirement. You must show that the processing is genuinely necessary to achieve the purpose. If there is a less intrusive way to achieve the same result, you cannot rely on that basis. For example, if you use legitimate interests for analytics, but you could achieve the same insights with anonymized data, then processing personal data is not necessary. Always consider whether you can achieve your purpose without processing personal data at all.

Pitfall 3: Failing to Reassess When Circumstances Change

Lawful bases are not set in stone. If you start processing data for a new purpose, you need a new basis. If the legal landscape changes (e.g., a new law imposes a legal obligation), you may need to switch bases. For example, if you previously relied on consent for employee monitoring, but a new law requires monitoring for safety, you might shift to legal obligation. Schedule regular reviews — at least once a year — to ensure your bases are still valid.

Pitfall 4: Overlooking Special Category Data

Processing special categories of data (e.g., health, biometrics, political opinions) requires both a lawful basis under Article 6 and a separate condition under Article 9. You cannot rely on legitimate interests or contract for special category data without an additional condition. Common Article 9 conditions include explicit consent, employment law obligations, or substantial public interest. If you process special category data, ensure you have both layers of justification. One team I read about used legitimate interests for processing employee health data for insurance purposes, but failed to identify an Article 9 condition — the regulator issued a warning and required them to cease processing until they obtained explicit consent.

Decision Checklist and Mini-FAQ

Quick Decision Checklist

• Is the processing required by law? → Legal obligation
• Is the processing necessary to perform a contract with the individual? → Contract
• Is the processing necessary to protect someone's life? → Vital interests
• Are you a public authority performing a public task? → Public task
• Do you want to give individuals control and the processing is not essential for the service? → Consent
• Do you have a compelling business need that does not override individual rights? → Legitimate interests (with balancing test)

Use this checklist as a starting point, but always document your reasoning. The checklist does not replace a full assessment.

Frequently Asked Questions

Can I change my lawful basis later? Yes, but you must have a valid reason and inform data subjects. For example, if you initially relied on consent for a newsletter, but later decide to use legitimate interests, you must notify subscribers and allow them to object. Changing basis does not retroactively justify past processing.

What if I cannot decide between two bases? Choose the one that best fits the processing and document why. In some cases, you may have more than one basis for the same processing — but you should identify the primary one. Avoid using legitimate interests as a fallback if consent is more appropriate.

Do I need a DPA (Data Processing Agreement) if I use a processor? Yes, regardless of the lawful basis. If you engage a third party to process data on your behalf, you need a DPA that meets the requirements of Article 28. The lawful basis governs your relationship with the data subject; the DPA governs your relationship with the processor.

Is legitimate interests ever prohibited? Yes. Public authorities cannot use legitimate interests for processing in their public tasks. Also, if the data subject would not reasonably expect the processing, or if it would cause harm, the basis fails. For example, selling customer data to third parties without consent is rarely covered by legitimate interests.

Synthesis and Next Steps

Key Takeaways

Choosing the right lawful basis is not a one-time task — it is an ongoing process that requires careful analysis, documentation, and review. The six bases are not interchangeable; each has specific requirements and limitations. Consent is powerful but burdensome; legitimate interests is flexible but requires a balancing test; contract and legal obligation are narrow but robust. Map your processing activities, assess each purpose independently, document your decisions, and inform data subjects. Regularly review your assessments to account for changes in law, technology, and business practices.

Immediate Actions

If you have not already done so, start by creating or updating your record of processing activities. For each activity, identify the purpose and the categories of data. Then, use the decision checklist above to determine the most appropriate lawful basis. Document your reasoning, including the legitimate interest balancing test if applicable. Update your privacy notice to reflect the bases you rely on. Finally, schedule a review for six months from now to ensure your assessments remain accurate. Remember, compliance is a journey, not a destination — and the lawful basis is your starting point.