GDPR Lawful Bases Reference

All 6 GDPR Article 6 lawful bases for processing personal data.

Reference to the six GDPR Article 6 lawful bases for processing personal data — consent, contract, legal obligation, vital interests, public task and legitimate interests — with plain examples and when each applies. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

How many lawful bases does GDPR provide?

Six, all set out in Article 6(1): consent, contract, legal obligation, vital interests, public task and legitimate interests. You must identify and document at least one lawful basis before you start processing personal data, and you should record which one you rely on for each purpose.

The six GDPR lawful bases for processing

Under the EU/UK General Data Protection Regulation, you may not process personal data unless you have a valid lawful basis. Article 6(1) sets out exactly six, and you must identify the right one for each processing purpose before you begin. This reference lists all six with the condition that triggers them, a plain example, and a note on how the basis affects individuals’ rights.

The six bases at a glance

BasisArticle 6(1)When it appliesKey rights impact
Consent(a)Clear, freely given opt-inPortable; easily withdrawn
Contract(b)Necessary to perform or prepare a contractPortable
Legal obligation(c)Required by law or regulationNo right to erasure while obligation applies
Vital interests(d)Life-or-death situationsNarrow — only where consent impossible
Public task(e)Official public authority functionRight to object applies
Legitimate interests(f)Genuine interest not overridden by data subject rightsRight to object; needs balancing test

Each basis in depth

Consent (6(1)(a)). Must be freely given, specific, informed, and unambiguous. Silence, pre-ticked boxes, and bundled consent are not valid. The data subject can withdraw consent at any time, and withdrawal must be as easy as giving it. Use consent where you process data beyond what the service strictly requires — for example, sending optional marketing emails.

Contract (6(1)(b)). Processing is necessary to perform a contract the data subject is party to, or to take pre-contractual steps at their request. A delivery address for an order, or credit checks before signing a lease, fall here. Processing for your convenience or to improve service quality is not “necessary” under contract.

Legal obligation (6(1)(c)). Processing is required to comply with a law or regulation. Payroll processing for HMRC, retaining VAT records for six years, or checking right-to-work documents. The obligation must stem from UK or EU law — your own contractual terms do not count.

Vital interests (6(1)(d)). Processing is necessary to protect someone’s life, typically in a medical emergency where the person cannot give consent. This is a narrow basis rarely used outside the health sector.

Public task (6(1)(e)). Processing is necessary for a task carried out in the public interest or in the exercise of official authority. Primarily for public bodies, regulators, and those processing under statutory powers. Private companies rarely rely on this basis.

Legitimate interests (6(1)(f)). Processing is necessary for a genuine interest of the controller or a third party, provided it is not overridden by the data subject’s rights. The most flexible basis, requiring a documented Legitimate Interests Assessment (LIA) covering three parts: (1) purpose — is the interest real and legitimate?; (2) necessity — is processing necessary or could a less intrusive approach work?; (3) balancing — do the individual’s interests or rights override the legitimate interest?

Which basis to choose in practice

  • Marketing to existing customers: often legitimate interests (soft-opt-in), unless you need explicit consent (e.g., electronic marketing to individuals under PECR in the UK requires consent).
  • Processing employee data: usually a mix of contract (for payroll), legal obligation (for tax), and sometimes legitimate interests (for access logging and security monitoring).
  • Analytics on website visitors: typically requires consent via cookie banner, since this goes beyond what is necessary to deliver the service.

Rights that depend on the basis

  • Right to data portability (Article 20): only applies to consent and contract.
  • Right to erasure (Article 17): does not apply where legal obligation or vital interests are the basis and the processing is still required.
  • Right to object (Article 21): applies to legitimate interests and public task. The controller must stop unless it can demonstrate compelling legitimate grounds that override the individual’s interests.

Key rule

Document one lawful basis per processing purpose before processing starts, not retrospectively. Switching bases later is difficult under GDPR and can be seen as unfair. Keep a Record of Processing Activities (ROPA) that maps each purpose to its basis and documents why that basis was chosen.