Every personal data processing activity must be grounded in one of the six lawful bases for processing defined in GDPR Article 6. Selecting the wrong lawful basis — or failing to document the basis chosen — is one of the most common GDPR compliance failures and can invalidate an organization's entire processing activity. Your Secure Privacy DPO advises on lawful basis selection for each processing activity, conducts Legitimate Interest Assessments (LIAs) where required, and ensures the correct basis is communicated to data subjects and documented in your Record of Processing Activities (ROPA).
Who Is This For?
Data Protection Officers and privacy managers advising on GDPR Article 6 compliance
Legal and compliance teams documenting lawful bases for processing activities in the ROPA
Marketing teams relying on consent or legitimate interests for customer data processing
HR and IT teams identifying lawful bases for employee and operational data processing
Why Choosing the Correct GDPR Lawful Basis Matters
The lawful basis selected for a processing activity determines the rights available to data subjects, the conditions under which processing can continue, and what your organization must communicate in its privacy notices. Relying on the wrong basis — for example, using consent when contract performance is more appropriate — can expose your organization to enforcement action, undermine the validity of consent obtained, and create inconsistencies in your ROPA and privacy documentation that supervisory authorities will identify during investigations.
The Six GDPR Article 6 Lawful Bases for Processing
GDPR Article 6 provides six lawful bases for processing personal data. Your DPO advises on which basis applies to each of your organization's processing activities:
Lawful Basis |
GDPR Reference |
When to Use |
|---|---|---|
Consent |
Article 6(1)(a) |
The individual has given clear, specific, informed, and unambiguous consent to the processing for a defined purpose |
Contract |
Article 6(1)(b) |
Processing is necessary for the performance of a contract with the individual, or to take pre-contractual steps at their request |
Legal Obligation |
Article 6(1)(c) |
Processing is necessary to comply with a legal obligation to which the controller is subject under EU or member state law |
Vital Interests |
Article 6(1)(d) |
Processing is necessary to protect the vital interests of the data subject or another person — typically life-threatening situations |
Public Task |
Article 6(1)(e) |
Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller |
Legitimate Interests |
Article 6(1)(f) |
Processing is necessary for the legitimate interests of the controller or a third party, unless overridden by the individual's rights and freedoms |
How Your DPO Advises on GDPR Lawful Basis Selection
Purpose analysis
Your DPO works with relevant teams to understand the specific, defined purpose of each processing activity — the starting point for identifying the most appropriate lawful basis.
Basis assessment
Your DPO evaluates which lawful basis or bases are most appropriate for the processing, considering the nature of the data, the relationship with the data subject, and any applicable legal obligations. Where multiple bases could apply, your DPO advises on the most defensible choice.
Documentation in the ROPA
The chosen lawful basis and the reasoning behind the selection are recorded in your Record of Processing Activities (ROPA) — providing the documented accountability trail required under GDPR Article 5(2).
Privacy notice update
GDPR Article 13 and 14 require that the lawful basis for processing be communicated to data subjects in your privacy notice. Your DPO ensures privacy notices are updated to reflect the correct basis for each processing activity.
Ongoing lawful basis review
Lawful bases must be reassessed when processing purposes change, new processing activities are introduced, or regulatory guidance shifts. Your DPO conducts periodic reviews and updates documentation accordingly.
Legitimate Interest Assessment (LIA): The Three-Part Test
When your organization relies on legitimate interests as its lawful basis under Article 6(1)(f), your DPO conducts a Legitimate Interest Assessment (LIA) to confirm the basis is valid and defensible. The LIA applies a structured three-part test:
Purpose test: Is there a genuine legitimate interest behind the processing? The interest must be real, present, and not trivial — commercial interests, security interests, and administrative efficiency can all qualify, provided they are sufficiently clear and specific.
Necessity test: Is the processing actually necessary to achieve the legitimate interest? If the same result could be achieved through less privacy-intrusive means, legitimate interests may not be an appropriate basis.
Balancing test: Do the legitimate interests of the controller override the privacy rights, freedoms, and interests of the data subject? This is the most critical part of the assessment — factors include the nature of the data, the reasonable expectations of the individual, and the potential impact of the processing.
Your DPO documents the LIA in full, providing a written record that can be produced for supervisory authorities or data subjects who exercise their right to object under GDPR Article 21.
Special Category Data: GDPR Article 9 Additional Conditions
Processing special categories of personal data under GDPR Article 9 — including health data, biometric data, racial or ethnic origin, religious beliefs, sexual orientation, trade union membership, and genetic data — requires your organization to satisfy two separate legal requirements simultaneously:
A lawful basis under GDPR Article 6 for the processing activity
An additional condition under GDPR Article 9(2) — such as explicit consent, employment law obligations, vital interests, or substantial public interest — that specifically permits the processing of special category data
Your DPO ensures both conditions are identified, documented, and reflected in your ROPA and privacy notices before any special category data processing begins. Relying on an Article 6 lawful basis alone is not sufficient for special category data.
Frequently Asked Questions
Can an organization rely on more than one lawful basis for the same processing activity?
Organizations should identify a single primary lawful basis for each processing activity before processing begins. While it is possible to document an alternative basis in some circumstances, switching between bases after the fact — particularly switching from consent to legitimate interests when consent is withdrawn — is not permitted and is a recognized enforcement finding.
Is consent always the strongest lawful basis for processing?
Not necessarily. Consent requires ongoing management, can be withdrawn at any time, and is inappropriate in contexts where there is a power imbalance (such as employment). Where contract performance or legal obligation genuinely applies, those bases are more appropriate and more stable than consent. Your DPO advises on the most suitable basis for each activity.
What happens if an organization cannot identify a lawful basis for a processing activity?
If no lawful basis applies to a processing activity, the processing must not take place. Your DPO will advise on whether the processing can be restructured to fall within a lawful basis, whether it should be discontinued, or whether a different approach to achieving the same organizational objective is available without requiring the processing of personal data.
What is the difference between consent under Article 6(1)(a) and explicit consent under Article 9(2)(a)?
Standard consent under Article 6(1)(a) must be freely given, specific, informed, and unambiguous — and can be expressed through a clear affirmative action. Explicit consent under Article 9(2)(a) for special category data requires a higher standard — the consent must be expressed in explicit terms, typically in writing, and must clearly reference the specific type of special category data being processed.