Before you collect or use any personal data under GDPR, you must answer one question: what is our lawful basis? There are six to choose from, and picking the right one shapes your obligations, your transparency and people’s rights. It is one of the first practical decisions in any GDPR compliance.
This guide explains all six lawful bases, when each fits best, how the legitimate interests assessment works, and how to choose and document the right basis.
Why you need a lawful basis
Under Article 6, you cannot process personal data simply because it is useful. You must identify one of six lawful bases before you begin, and that basis must genuinely fit what you are doing. Processing without a valid basis is unlawful, full stop — and it sits in GDPR’s higher fine tier.
Choosing the right basis is not a box-ticking exercise. It shapes which rights individuals have, how you must be transparent, and how easily you can change course later, so it deserves genuine thought up front.
The six lawful bases at a glance
The table summarises the six bases and where each fits best. We look at each in turn below.
| Lawful basis | When it fits best |
|---|---|
| Consent | Optional activities like marketing or non-essential cookies, where the person has a real choice. |
| Contract | Processing needed to deliver a product or service the person asked for. |
| Legal obligation | Processing required to comply with a law, such as tax or employment records. |
| Vital interests | Protecting someone’s life — rare, mainly emergencies. |
| Public task | Functions in the public interest or under official authority. |
| Legitimate interests | Reasonable business uses that don’t override the person’s rights — needs a balancing test. |
Free resource
The Ultimate Guide to GDPR
Map every processing activity to the right lawful basis with confidence.
1. Consent
Consent means the person has given a freely given, specific, informed and unambiguous agreement to the processing. It must be as easy to withdraw as to give, and you must keep records of it. Consent suits genuinely optional activities — marketing emails, non-essential cookies — where the person has a real choice.
It is often not the easiest basis to rely on, because withdrawal can force you to stop a process. Many organisations over-use consent when another basis would be sounder.
2. Contract
The contract basis applies where processing is necessary to perform a contract with the person, or to take steps at their request before entering one. Delivering a product, fulfilling an order, or managing an account all fit here.
The key word is necessary: the processing must be genuinely needed to deliver what the person asked for, not merely useful to your business. You cannot stretch “contract” to cover marketing or analytics.
3. Legal obligation
The legal obligation basis applies where you must process data to comply with the law — retaining tax records, meeting employment-law duties, or responding to a lawful authority request. The obligation must come from law, not merely a contract.
Because the law dictates the processing, individuals have fewer ways to object, but you should still be able to point to the specific legal requirement involved.
4. Vital interests
The vital interests basis covers processing necessary to protect someone’s life. It is narrow and used mainly in emergencies — for example, sharing medical information when a person is unconscious and cannot consent.
It is rarely the right basis for routine business processing, and you generally cannot rely on it where another basis is realistically available.
5. Public task
The public task basis applies where processing is necessary to perform a task carried out in the public interest or in the exercise of official authority. It is most relevant to public authorities and bodies exercising official functions.
Private organisations occasionally rely on it when carrying out functions laid down in law, but for most businesses it will not apply.
6. Legitimate interests
The legitimate interests basis is the most flexible. It allows processing necessary for interests pursued by you or a third party, provided those interests are not overridden by the individual’s rights and freedoms. It suits many ordinary business activities — fraud prevention, network security, and relevant B2B marketing.
Its flexibility comes with responsibility: you must carry out and document a balancing test before you rely on it, which we look at next.
The legitimate interests assessment
To rely on legitimate interests you should complete a legitimate interests assessment (LIA) with three parts: identify the interest (the purpose test), show the processing is necessary to achieve it (the necessity test), and confirm it does not unfairly override the individual’s rights (the balancing test).
Documenting the LIA both protects you and forces useful discipline — if you cannot articulate why your interest outweighs the impact on people, you probably need a different basis or a different approach.
Choosing the right basis
Start from the purpose of the processing and pick the basis that fits most naturally. Is the processing required to deliver something the person asked for? Use contract. Required by law? Legal obligation. A reasonable business use? Legitimate interests, with an LIA. A genuinely optional extra? Consent.
Avoid defaulting to consent for everything — it is often the weakest fit and the hardest to maintain.
You cannot easily swap bases
You must decide your lawful basis before you start processing and tell people about it in your privacy notice. Switching basis later — for example, from consent to legitimate interests because consent became inconvenient — is difficult and generally not allowed, because it undermines transparency.
This is why a little thought up front saves a lot of pain: get the basis right the first time rather than trying to re-paper it after the fact.
Special category data needs more
For special category data — health, biometrics, beliefs and so on — an Article 6 lawful basis is not enough. You also need a separate condition under Article 9. So sensitive processing requires two justifications layered together: the lawful basis and the special category condition.
Missing the second layer is a common error when sensitive data is involved, so flag special category data early and check both boxes.
Document your bases
The accountability principle expects you to record your lawful basis for each processing activity, ideally in your record of processing, alongside any LIA or special category condition. This makes your privacy notice accurate, speeds up responses to rights requests, and provides ready evidence if a regulator asks.
A simple mapping of activity to basis is one of the highest-value documents in a GDPR programme.
How ISpectra helps
Selecting and documenting lawful bases correctly underpins everything else in your GDPR compliance. ISpectra Technologies helps organisations map each processing activity to the right basis, complete robust legitimate interests assessments, and capture the special category conditions where sensitive data is involved.
If you are unsure whether your current bases would withstand scrutiny, a short review will tell you quickly.
Free consultation
Need help with GDPR?
Talk to our data-protection specialists — we’ll map your fastest path to compliance.
In one paragraph
GDPR requires a lawful basis for every processing activity, chosen from six in Article 6: consent, contract, legal obligation, vital interests, public task and legitimate interests. Pick the one that fits your purpose — contract for delivering a service, legal obligation for legally required processing, legitimate interests (with a balancing test) for reasonable business uses, and consent for genuinely optional activities. Decide and document your basis before you start, reflect it in your privacy notice, and remember that special category data needs an additional Article 9 condition on top. Get this right and the rest of GDPR has firm foundations.