5.2 Lawful Bases for Processing

One of the most fundamental questions in GDPR is: on what legal basis are you processing this personal data? Without a valid lawful basis, processing is unlawful — full stop. Understanding these bases helps you both recognise whether organisations are processing your data legitimately and understand what rights you hold in each scenario.

The six lawful bases (GDPR Art. 6)

1. Consent (Art. 6(1)(a)) — The individual has given clear, informed agreement for one or more specific purposes.
2. Contract (Art. 6(1)(b)) — Processing is necessary to fulfil a contract with the individual, or to take steps before entering one (e.g. processing your name and address to ship an order you placed).
3. Legal obligation (Art. 6(1)(c)) — Processing is required by law — for example, an employer must process payroll data to comply with tax law.
4. Vital interests (Art. 6(1)(d)) — Processing is necessary to protect someone's life. This is a narrow basis, typically used in emergencies where consent cannot be obtained.
5. Public task (Art. 6(1)(e)) — Processing is necessary for a task carried out in the public interest or in the exercise of official authority — for example, a hospital authority managing public health records.
6. Legitimate interests (Art. 6(1)(f)) — Processing is necessary for the legitimate interests of the controller or a third party, except where these are overridden by the individual's interests or fundamental rights. This basis requires a balancing test.

Why the lawful basis matters

The basis chosen directly determines the rights you can exercise. For example, if processing is based on consent, you have the right to withdraw it at any time (Art. 7(3)). If processing is based on legitimate interests, you have the right to object (Art. 21). If processing is necessary for a contract, erasure may not be possible until the contractual relationship ends.

The strict requirements for valid consent (Art. 7)

Consent is frequently misunderstood and misused. Under the GDPR, consent must be:

• Freely given — no cörcion, no bundling consent with access to a service
• Specific — given for a particular purpose, not a blanket agreement
• Informed — the individual must understand what they are consenting to
• Unambiguous — expressed by a clear affirmative action; silence, pre-ticked boxes, and inactivity do not count

Special category data (Art. 9)

For sensitive personal data — health information, biometric data, ethnic origin, political opinions, and others — ordinary lawful bases are not enough. Art. 9 requires an additional, separate condition from a specific list (such as explicit consent, employment law obligations, or vital medical interest). This double-layered requirement reflects the heightened risk these categories carry.

Your takeaway

Every time an organisation processes your data, it must have one of these six bases. Asking a simple question — why dös this organisation need this data, and on what basis? — is a powerful privacy tool.