CDMP Fundamentals • 100 Questions • 90 Minutes
← Back to GDPR Compliance

6 Lawful Bases for Processing

Article 6 of GDPR requires that EVERY processing activity has a lawful basis. You must identify and document the lawful basis BEFORE you start processing. You cannot change the lawful basis after the fact. Choosing the wrong basis is one of the most common and costly GDPR mistakes. As a consultant, this is often where you add the most value — helping clients correctly map each processing activity to the right basis.

Consent

Article 6(1)(a)

The individual has given clear, affirmative agreement to the processing of their personal data for one or more specific purposes. GDPR consent is a very high bar — it must be freely given, specific, informed, and unambiguous. Pre-ticked boxes, silence, or inactivity do NOT count.

When to Use: Use consent when none of the other bases apply and you need the individual's active agreement. Common for: marketing emails, cookies and tracking, sharing data with third parties for their own purposes, processing special category data. Avoid consent when there is a power imbalance (employer-employee, government-citizen) or when the processing is truly necessary for another basis.

Requirements

  • Must be freely given — no penalty for refusing or withdrawing
  • Must be specific — separate consent for each distinct purpose
  • Must be informed — clear explanation of what they are agreeing to
  • Must be unambiguous — requires a clear affirmative action (opt-in, not opt-out)
  • Must be as easy to withdraw as it was to give
  • Must be documented — you must be able to prove consent was given
  • Cannot be bundled with terms of service
  • Must be refreshed if purposes change
  • Children under 16 (or 13 in some countries) require parental consent

Common Mistakes

  • Using pre-ticked consent boxes (invalid under GDPR)
  • Bundling multiple purposes into one consent request
  • Making consent a condition of service when it is not necessary
  • Not providing an equally easy way to withdraw consent
  • Not keeping records of when and how consent was obtained
  • Using consent when legitimate interests would be more appropriate (consent can be withdrawn, creating operational headaches)

💡 Consultant Tip: Consent is often OVER-USED. Many consultants default to consent for everything, but this creates operational burden because consent can be withdrawn at any time. Always check if legitimate interests, contract, or legal obligation might be a better fit first. Reserve consent for situations where you truly need the individual's active agreement, especially marketing and optional data sharing.

Contract

Article 6(1)(b)

Processing is necessary for the performance of a contract with the data subject, or to take steps at their request prior to entering into a contract. In plain English: you need to process the data to deliver what you promised.

When to Use: Use this when: processing is genuinely necessary to fulfill a contract with the individual (delivering a product, providing a service, processing a payment) or when the individual has asked you to do something before entering a contract (providing a quote, processing an application). Do NOT stretch this to cover processing that is merely useful but not necessary for the contract.

Requirements

  • A contract must exist (or be about to be entered into) with the data subject
  • The processing must be genuinely NECESSARY for the contract — not just useful or convenient
  • Cannot be used for processing that goes beyond what is needed (e.g., profiling for marketing is not necessary for a purchase contract)
  • The data subject must be a party to the contract

Common Mistakes

  • Stretching contract necessity to cover processing that is merely useful (e.g., claiming marketing analytics are necessary for an e-commerce contract)
  • Using contract basis for processing employee data when legal obligation or legitimate interests may be more appropriate
  • Not clearly defining what processing is necessary in the contract terms

💡 Consultant Tip: Contract is the cleanest basis for most core business processing. Delivering a product, processing an order, providing a subscribed service — these all fit naturally under contract. But be strict about 'necessity' — only include processing that is objectively required to fulfill the contract, not everything you WANT to do with the data.

Legal Obligation

Article 6(1)(c)

Processing is necessary to comply with a legal obligation that the controller is subject to. In plain English: the law requires your client to process this data. This does not include contractual obligations — it means laws and regulations.

When to Use: Use this when: tax law requires you to keep financial records, employment law requires you to process employee data, anti-money laundering regulations require customer verification (KYC), healthcare regulations require patient record keeping, or any other statutory or regulatory requirement mandates processing.

Requirements

  • The obligation must be laid down in EU or Member State law
  • The processing must be necessary (not just helpful) to comply with the obligation
  • You should document which specific law or regulation creates the obligation
  • Contractual obligations do NOT count — only legal/regulatory obligations

Common Mistakes

  • Claiming legal obligation without identifying the specific law
  • Confusing contractual obligations with legal obligations
  • Using legal obligation for processing that goes beyond what the law requires
  • Not reviewing whether the legal obligation still exists when laws change

💡 Consultant Tip: Legal obligation is a strong, stable basis because it does not depend on the individual's consent or your balancing test. Always have the legal team identify the specific statute or regulation. Build a register mapping each legal obligation to the specific law that creates it — this is gold during audits.

Vital Interests

Article 6(1)(d)

Processing is necessary to protect someone's life or physical safety. This is the emergency basis — it is very narrow and should rarely be used. Think: life-or-death situations.

When to Use: Use ONLY in genuine emergencies where someone's life or physical safety is at risk and you cannot obtain consent. Examples: sharing medical information with emergency services for an unconscious person, processing data during a natural disaster to locate survivors. Do NOT use this as a general health and safety basis.

Requirements

  • Must involve a genuine threat to life or physical safety
  • Cannot be used if you can reasonably rely on another lawful basis (especially consent)
  • Can protect the vital interests of the data subject OR another person
  • Should be a last resort — not a routine basis for processing

Common Mistakes

  • Using vital interests for routine health and safety processing (use legal obligation or legitimate interests instead)
  • Relying on vital interests when consent could be obtained
  • Treating it as a general-purpose emergency basis

💡 Consultant Tip: You will almost never use this basis in practice. If your client is using vital interests for anything routine, they are doing it wrong. The only legitimate use cases are true life-threatening emergencies. For workplace health and safety, use legal obligation. For medical treatment, use explicit consent or legal obligation under health laws.

Public Task

Article 6(1)(e)

Processing is necessary for a task carried out in the public interest or in the exercise of official authority vested in the controller. This basis is mainly for public authorities and organizations exercising official functions.

When to Use: Use this when: your client is a government body, local authority, or other public body performing its official functions. Also applies to private organizations performing public tasks (e.g., utility companies, healthcare providers under public health systems). You need a clear basis in law for the task.

Requirements

  • The task must be laid down in law (EU or Member State)
  • Processing must be necessary for performing the task
  • Mainly used by public authorities, but private bodies can use it if performing a public function
  • The data subject has the right to object to processing under this basis

Common Mistakes

  • Private companies claiming public task when they are not performing any public function
  • Not identifying the specific legal basis for the public task
  • Forgetting that individuals can object to public task processing

💡 Consultant Tip: If your client is a private company, this basis probably does not apply. It is mainly for government agencies, NHS trusts, universities (publicly funded), and similar organizations. If your client IS a public body, this is often the primary basis — but make sure each processing activity is genuinely necessary for the official task.

Legitimate Interests

Article 6(1)(f)

Processing is necessary for the legitimate interests of the controller or a third party, UNLESS those interests are overridden by the interests, rights, or freedoms of the data subject. This is the most flexible basis but requires a balancing test. It is NOT available to public authorities performing their tasks.

When to Use: Use this for: fraud prevention, network security, internal administration, direct marketing to existing customers (with opt-out), intra-group data transfers, employee monitoring (proportionate), analytics on existing customer data. Always conduct and document a Legitimate Interest Assessment (LIA) before relying on this basis.

Requirements

  • Identify the specific legitimate interest (business need, third party interest, or broader benefit)
  • Demonstrate that processing is NECESSARY (not just useful) for that interest
  • Conduct a balancing test: do the individual's rights and freedoms override your interest?
  • Document the assessment in a Legitimate Interest Assessment (LIA)
  • Provide the right to object
  • Not available to public authorities for their core tasks

Common Mistakes

  • Not conducting or documenting a Legitimate Interest Assessment
  • Claiming legitimate interest for processing that is clearly overridden by individual rights
  • Using legitimate interest as a catch-all when other bases do not fit (lazy approach)
  • Not providing the right to object
  • Not revisiting the LIA when circumstances change
  • Public authorities trying to use legitimate interest for their core functions

💡 Consultant Tip: Legitimate interests is the workhorse basis for most private-sector processing. But you MUST do the work — conduct a proper three-part LIA: (1) Purpose test: is there a genuine legitimate interest? (2) Necessity test: is the processing actually necessary? (3) Balancing test: do individual rights override? Document everything. A well-documented LIA is your best defense during an audit. Many fines come from organizations that relied on legitimate interest without doing the assessment.

← Back to GDPR Compliance