Legal Bases for Processing Personal Data under the GDPR: Choosing the Right Ground and Documenting It

By /

Choosing the correct legal basis for processing personal data is foundational to GDPR compliance. The legal basis determines whether processing is lawful, which rights apply, how you communicate with data subjects, and how long you may keep data. Misidentifying the legal basis can invalidate consent, weaken defences in investigations and expose organisations to regulatory enforcement. This article explains each lawful basis, practical selection guidance, common pitfalls, and documentation practices to make your decisions defensible.

Overview: the six lawful bases (Article 6)

Under the GDPR, processing of personal data is lawful only if at least one of the following applies:

  1. Consent — the data subject has given clear, informed, specific and freely given consent.
  2. Contract — processing is necessary for performance of a contract with the data subject or to take steps before entering a contract.
  3. Legal obligation — processing is necessary to comply with a legal obligation to which the controller is subject.
  4. Vital interests — processing is necessary to protect someone’s life (rare outside medical emergencies).
  5. Public task — processing necessary for performing a task carried out in the public interest or official authority (public bodies).
  6. Legitimate interests — processing necessary for the controller’s legitimate interests, except where overridden by the interests, rights or freedoms of the data subject.

Note: Special categories of data (sensitive data) require an additional ground under Article 9 (e.g., explicit consent, employment law obligations, public health, substantial public interest) alongside a valid Article 6 basis.

How to choose the right basis — practical guidance

  • Start with purpose: clearly articulate why you need the data and what you will do with it. The purpose drives which basis fits.
  • Prefer contract or legal obligation where those genuinely apply — these are stable and do not depend on behavioural consent.
  • Use consent when you need a freely given, specific opt‑in (e.g., direct marketing to customers where no contractual basis exists, or processing of special category data where explicit consent is required). Avoid bundling consent into terms and conditions.
  • Use legitimate interests for internal business purposes where individuals reasonably expect the processing and the impact is limited (e.g., fraud prevention, network security, direct B2B marketing), but always perform and document a Legitimate Interests Assessment (LIA).
  • Don’t use legitimate interests where a data subject expects a higher level of control (e.g., processing of children’s data, large-scale profiling affecting rights).
  • Document your reasoning — legal basis selection is a compliance decision, not an afterthought.

Consent — requirements and pitfalls

  • Consent must be specific, informed, unambiguous and freely given; affirmative action is required (no pre-checked boxes).
  • Must be as easy to withdraw as to give. Withdrawal does not retroactively make processing lawful or unlawful for past processing, but it affects future processing.
  • Separate consent for different processing purposes (e.g., analytics vs marketing).
  • Special category data generally requires explicit consent (Article 9) unless another exception applies.
  • Keep records of when, how and what the data subject consented to (versioned privacy notices, timestamps).

Pitfalls:

  • Bundling consent with mandatory service terms.
  • Vague or overly broad consent that does not describe the purpose.
  • Relying on consent when a contract or legitimate interest is available.

Contractual necessity

  • Applies where processing is necessary to perform a contract or take steps at the request of the data subject prior to entering into a contract (e.g., order fulfilment, payment processing).
  • Limit processing strictly to what is necessary for the contract; other purposes require separate bases.

Legal obligation

  • Applies when an EU/national law requires processing (e.g., tax law, anti-money laundering reporting).
  • Document the legal requirement and the specific clause that mandates processing; do not conflate “obligation” with business convenience.

Vital interests & public task

  • Vital interests are narrowly applied (life-or-death scenarios).
  • Public task applies to public authorities and bodies performing official functions; document statutory basis.

Legitimate interests — the most flexible but scrutinised basis

  • Suitable for many business needs (security, fraud prevention, internal analytics, B2B marketing) but requires a three-part test (Legitimate Interests Assessment, LIA):
  1. Purpose test: identify legitimate interest (commercial, societal, or organisational).
  2. Necessity test: show processing is necessary to achieve that interest.
  3. Balancing test: weigh controller’s interest against data subject’s rights and freedoms; consider reasonable expectations, vulnerability, and likely impact.
  • Implement safeguards to reduce impact (data minimisation, pseudonymisation, opt-out for direct marketing where required).
  • Record the LIA outcome, safeguards and review frequency.

Pitfalls:

  • Using legitimate interests for broad, invasive profiling without strong mitigations.
  • Failing to consider reasonable expectations (e.g., marketing a consumer who only engaged as an employee of a supplier).

Special categories of personal data (Article 9)

  • Processing special category data requires an Article 9 condition in addition to a valid Article 6 basis. Common conditions include:
  • Explicit consent of the data subject (Art. 9(2)(a)).
  • Employment, social security and social protection law obligations (Art. 9(2)(b)).
  • Vital interests where the subject is incapable of giving consent (Art. 9(2)(c)).
  • Substantial public interest with appropriate safeguards (Art. 9(2)(g)).
  • Health data and biometric data often fall here — document both the Article 6 and Article 9 bases.

Documentation & transparency — how to record legal bases

  • ROPA entries must include legal basis for each processing activity and retention justification.
  • Privacy notices must state the legal basis in plain language and, if relying on legitimate interests, summarise the interest and provide a link to the LIA.
  • Consent records: store timestamps, method, scope, and withdrawal logs.
  • Contractual/legal obligation: reference the specific contractual clause or legislation.
  • LIAs and DPIAs: link to ROPA and cite in privacy governance materials and board reports.

What to do when the basis changes

  • Notify data subjects if the legal basis changes in a way that affects their rights or expectations (e.g., moving from contract to legitimate interests for marketing).
  • Re-assess retention and minimise data where necessary.
  • Update privacy notices and internal records, and obtain fresh consent if the new purpose requires it.

Cross-border nuances and national law

  • National laws can affect legal bases, especially for employment, healthcare and public interest processing. Always check applicable national legislation and document where national law overrides or supplements GDPR provisions.

Practical examples

  • HR payroll: Contract (necessary for performance), plus legal obligation (tax/record-keeping). Special category: health data for sick leave — Article 9 condition applies.
  • Marketing to current customers: Legitimate interests often apply; provide opt-out and conduct LIA. For direct marketing via electronic communications, follow ePrivacy rules (consent may be required in some jurisdictions).
  • Analytics on website: Legitimate interests possible for aggregated, non-intrusive metrics; use DPIA if behavioural profiling at scale.
  • Medical research using patient data: Likely explicit consent or public interest condition, combined with Article 6 basis and rigorous safeguards.

Common compliance mistakes

  • Using consent by default because it feels simpler — it creates revocation risk and administrative burden.
  • Not documenting LIAs or performing shallow balancing tests.
  • Applying a single basis across multiple, unrelated purposes.
  • Failing to link legal basis decisions to retention and minimisation choices.

Governance: process and responsibilities

  • Legal/Privacy team: advises on basis selection, approves LIAs and reviews complex cases.
  • DPO: reviews borderline cases, ensures documentation and provides guidance on transparency.
  • Business owners: draft purpose statements, select practical safeguards and implement operational controls.
  • HR/IT/Procurement: ensure contracts, onboarding and supplier DPAs reflect lawful bases and limitations.

Conclusion

Selecting and documenting the correct legal basis for processing personal data is a critical privacy control and evidences compliance. Treat legal bases as strategic decisions—tie them to purpose, minimisation, retention and subject transparency. Robust documentation and periodic review turn legal basis choices from risky assumptions into defensible positions.

Related Posts

Scroll to Top