Your guide to the 6 lawful bases for data processing under GDPR
Every GDPR processing activity needs a lawful basis under Article 6. Picking the wrong basis—or using consent when legitimate interests would suffice—creates compliance and product friction.
Related guides:
Key takeaways
- You must identify one primary lawful basis per purpose—not stack bases “just in case.”
- Consent is strict: freely given, specific, informed, unambiguous, and easy to withdraw.
- Legitimate interests require a documented LIA balancing test.
- Special category data (Article 9) needs an additional condition beyond Article 6.
This guide covers:
- Each of the six Article 6 bases with examples
- Selection criteria and documentation tips
- Consent vs legitimate interests in marketing and analytics
- Article 9 add-ons for sensitive data
GIF via GIPHY
The six lawful bases (Article 6)
| Basis | Article 6(1) | Typical use cases |
|---|---|---|
| Consent | (a) | Optional newsletters, non-essential cookies, some marketing |
| Contract | (b) | Delivering a signed SaaS agreement, account setup, payments |
| Legal obligation | (c) | Tax records, employment law filings, regulatory reporting |
| Vital interests | (d) | Life-threatening emergencies (rare in commercial contexts) |
| Public task | (e) | Public authorities performing official functions |
| Legitimate interests | (f) | Fraud prevention, B2B prospecting (with care), security logging |
You cannot switch lawful bases retroactively if the original basis was invalid (e.g., flawed consent).
How to choose the right basis
Ask for each processing purpose:
- Is it necessary for a contract the individual requested?
- Are we required by law to process the data?
- Can we achieve the goal without processing—or with less invasive means?
- If relying on legitimate interests, does our interest outweigh the individual’s rights (LIA)?
- If using consent, can we meet GDPR consent standards and honor withdrawal?
Document the basis in your RoPA and reflect it in your privacy notice.
Consent vs legitimate interests
Consent (Article 6(1)(a))
- Must be opt-in for most situations; pre-ticked boxes are invalid.
- Must be granular per purpose where purposes differ.
- Withdrawal must be as easy as giving consent.
- Not appropriate for imbalanced relationships (e.g., employer–employee in many cases).
Legitimate interests (Article 6(1)(f))
Conduct a Legitimate Interest Assessment (LIA):
| LIA step | Question |
|---|---|
| Purpose | What legitimate interest are we pursuing? |
| Necessity | Is processing necessary for that purpose? |
| Balancing | Do individual rights override our interest? |
Provide opt-out where required (e.g., direct marketing under Article 21). Supervisory authorities scrutinize surveillance-style analytics and covert profiling.
Special category data (Article 9)
Sensitive data—health, biometrics, racial/ethnic origin, political opinions, trade union membership, genetic data, sex life/orientation, religious beliefs—requires:
- An Article 6 basis, and
- An Article 9 condition (e.g., explicit consent, employment law, substantial public interest)
Apply data minimization and enhanced security. DPIAs are often mandatory.
Get audit-ready with SecureSlate
SecureSlate links processing activities to documented lawful bases, control evidence, and review workflows—keeping Article 6 choices visible during audits and customer due diligence.
FAQ
Can we use multiple lawful bases for one activity?
You should identify the most appropriate single basis per purpose. Different purposes in the same product may use different bases.
Is consent required for all marketing?
Not always. Legitimate interests may apply to some B2B outreach with an LIA and easy opt-out; ePrivacy rules may impose additional requirements for electronic marketing.
What if we picked the wrong basis?
Stop relying on the invalid basis, reassess processing, and re-baseline notices and contracts. Seek legal advice if processing continued unlawfully.
Disclaimer (legal note)
General information only—not legal advice. Lawful basis analysis is fact-specific and may interact with national ePrivacy laws.
Need compliance without the complexity?
SecureSlate automates ISO 27001, SOC 2, GDPR, HIPAA, and more. Built for growing teams. See it in action.
No credit card required
