April 1 2026

Legal Bases for Processing Personal Data — A Detailed Guide to Article 6 GDPR

Selecting the correct legal basis for processing personal data is one of the most important decisions a data controller makes — and simultaneously one of the most common causes of violations identified by UODO. An incorrectly chosen legal basis can render the entire processing activity unlawful, even if the organisation meets all other GDPR requirements.

Article 6 of the GDPR lists six — and only six — legal bases on which personal data processing may rely. There is no seventh option. If none of them applies, the processing is impermissible.

This article examines each of the six legal bases in detail — with examples, pitfalls, and practical guidance on selecting the right one.

Why the Choice of Legal Basis Matters So Much

The legal basis is not an abstract formal requirement — it determines the entire relationship between the controller and the data subject:

Different data subject rights — depending on the legal basis, the individual has different rights. With consent — the right to withdraw. With legitimate interest — the right to object. With contract — the right to data portability. With legal obligation — a limited right to erasure.

Different controller obligations — consent requires a withdrawal mechanism, legitimate interest requires a balancing test (LIA), contract requires linking the scope of data to the subject matter of the agreement.

Consequences of an incorrect choice — if a controller relies on consent but the consent does not meet the requirements (e.g., it is not freely given), the processing is unlawful. Changing the legal basis “on the fly” is problematic — the EDPB indicates that the controller should determine the legal basis before processing begins and should not change it arbitrarily.

Privacy notice — Article 13 GDPR requires the legal basis to be stated in the privacy notice. Incorrect or missing information is a separate violation.

Basis 1: Consent (Article 6(1)(a))

Definition: The data subject has given consent to the processing of their personal data for one or more specific purposes.

When to use:

Newsletter and email marketing
Analytics and marketing cookies
Publishing an employee’s photo on the company website
Processing data for purposes that do not arise from a contract, legal obligation, or legitimate interest

Requirements for valid consent (Article 7 GDPR):

Freely given — consent must be given voluntarily, without coercion. The individual must not suffer negative consequences for refusing. Making a contract conditional on consent for unrelated processing (e.g., “tick the marketing consent box to place an order”) renders the consent involuntary and invalid.

Specific — consent must relate to a specific purpose. Generic consent (“I agree to data processing”) is invalid. If you process data for multiple purposes, you need separate consent for each.

Informed — the individual must know what they are consenting to: who the controller is, the processing purpose, what data is covered, and to whom it may be disclosed.

Unambiguous — consent requires an active action (ticking a checkbox, clicking a button). Silence, pre-ticked boxes, and inaction do NOT constitute consent. The CJEU confirmed this in Planet49 (C-673/17).

Withdrawable — the individual must be able to withdraw consent at any time, as easily as it was given (Article 7(3) GDPR). Withdrawal does not affect the lawfulness of processing prior to withdrawal.

Most common mistakes:

Using consent where the proper basis is contract or legal obligation
Making consent a condition of service
No mechanism for consent withdrawal
Vague consent wording
Pre-ticked checkboxes
Bundling multiple purposes in a single consent

Employee consent — the EDPB and UODO emphasise that in the employer-employee relationship, consent will rarely be considered freely given due to the power imbalance. Where possible, a different legal basis should be used.

Basis 2: Contract Performance (Article 6(1)(b))

Definition: Processing is necessary for the performance of a contract to which the data subject is party, or for taking steps at the data subject’s request prior to entering into a contract.

When to use:

Fulfilling an online shop order (delivery address, billing data)
Providing a service under a contract (law firm client data)
Handling complaints and returns
Maintaining a user account (if the account is part of the service)
Pre-contractual steps at the individual’s request (e.g., preparing a quote)

Key limitation — “necessity”: Only data that is objectively necessary for contract performance may be processed. If a name, address, and phone number suffice for delivery, you cannot require a date of birth “because it’s in the form.” The EDPB in Guidelines 2/2019 stresses that “necessity” must be interpreted narrowly — it is not enough that processing is “useful” or “convenient” for the controller.

Pre-contractual steps: Article 6(1)(b) also covers processing at the pre-contractual stage — but only at the individual’s request. Example: a client asks for a service quote and provides their contact details. Sending unsolicited commercial offers does not fall within this basis.

Most common mistakes:

Extending “contract performance” to marketing, analytics, or profiling — these are not necessary for the contract
Relying on contract for employee data processing beyond the scope of the employment relationship
Failing to distinguish between data necessary for the contract and data collected “incidentally”

Basis 3: Legal Obligation (Article 6(1)(c))

Definition: Processing is necessary for compliance with a legal obligation to which the controller is subject.

When to use:

Maintaining employment documentation (Labour Code)
Retaining tax documents (tax law, accounting law)
Reporting data to social insurance and tax authorities
Retaining medical records (Patient Rights Act)
Providing data at the request of a court, prosecutor, or police
Beneficial ownership register obligations (AML)
Obligations under NIS2 and the National Cybersecurity System Act

Key requirement — a specific legal provision: The controller must identify the specific legal provision that imposes the processing obligation. A general reference to “legal requirements” is not sufficient — the specific provision must be cited.

The legal obligation must arise from EU or Member State law — not from internal company regulations or contracts.

Right to erasure — limited: When processing is based on a legal obligation, the individual cannot effectively request data deletion — the controller has the right (and duty) to retain the data for the legally required period (Article 17(3)(b) GDPR).

Basis 4: Vital Interests (Article 6(1)(d))

Definition: Processing is necessary to protect the vital interests of the data subject or another natural person.

When to use:

Life-threatening situations (e.g., emergency medical treatment, natural disasters)
Processing data of an unconscious person to provide medical assistance

In practice — this basis is used extremely rarely. The EDPB emphasises that “vital interests” means matters of life and death, not general interests of the individual. It cannot be invoked for routine business processes.

If another legal basis exists (e.g., consent, contract, legal obligation), it should be used instead of vital interests.

Basis 5: Public Interest (Article 6(1)(e))

Definition: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

When to use:

Public administration bodies performing statutory tasks
Public schools and universities (maintaining educational records)
Public hospitals (in certain respects)
Cultural institutions performing public tasks
Organisations carrying out tasks delegated by public authorities

Key requirement: The public task must be established in EU or national law — not by the organisation’s internal decision. The controller must cite the specific provision.

Right to object: Individuals have the right to object to processing based on public interest (Article 21(1) GDPR). The controller may continue processing if it demonstrates compelling legitimate grounds that override the individual’s interests.

Note: Private entities generally cannot rely on this basis — unless they perform specific public tasks under law.

Basis 6: Legitimate Interest (Article 6(1)(f))

Definition: Processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

When to use:

Direct marketing to existing customers (Recital 47 GDPR expressly mentions this)
CCTV for property protection
Fraud prevention
Establishing, exercising, or defending legal claims
Network and IT system security
Business analytics on anonymised or pseudonymised data
Internal administrative purposes within a group of undertakings (Recital 48 GDPR)

Legitimate Interest Assessment (LIA):

Legitimate interest is the weakest of the main legal bases — it requires a balancing test (LIA) to be conducted each time, comprising three stages:

Stage 1: Identify the interest — is the controller’s interest real, specific, and current? Is it legitimate (not contrary to law)?

Stage 2: Necessity test — is the processing objectively necessary to pursue that interest? Is there a less intrusive way to achieve the goal?

Stage 3: Balancing test — does the controller’s interest override the interests, rights, and freedoms of the individual? Factors to consider: the nature of the data, the individual’s reasonable expectations, the nature of the relationship, the impact on the individual, and the safeguards in place.

The LIA must be documented — in writing, before processing begins. In the event of a UODO audit or a data subject request, the controller must be able to present the LIA.

Most common mistakes:

Not conducting a LIA
Superficial LIA (one sentence instead of a thorough analysis)
Using legitimate interest for purposes that clearly require consent
Ignoring the individual’s right to object
Public authorities using this basis — Article 6(1)(f) does not apply to processing by public authorities in the performance of their tasks

Right to object: The individual may object at any time to processing based on legitimate interest (Article 21(1) GDPR). For direct marketing, the objection is absolute — the controller must immediately cease processing (Article 21(2)–(3) GDPR).

Special Categories of Data — Article 9 GDPR

If you process special category data (health, biometric, racial origin, political opinions, religious beliefs, genetic data, sexual orientation data), Article 6 alone is not sufficient — you must additionally meet one of the conditions in Article 9(2) GDPR, such as explicit consent, employment law obligations, vital interests, processing by a non-profit, data made public by the individual, legal claims, substantial public interest, health purposes, or archival/research/statistical purposes.

How to Choose the Right Legal Basis — A Practical Algorithm

Is there a legal provision requiring the processing? → Yes → Legal obligation (c)
Is processing necessary for a contract with the individual? → Yes → Contract (b)
Does it concern a public task? → Yes → Public interest (e)
Is there a threat to life? → Yes → Vital interests (d)
Does the controller have a specific, legitimate interest that does not unduly affect the individual’s rights? → Yes → Legitimate interest (f) — conduct a LIA
None of the above applies? → Consent (a) — a last resort, not the default

Key principle: Consent should not be the default choice. The EDPB stresses that consent is the appropriate basis only when no other basis applies and the individual has a genuine, free choice.

Changing the Legal Basis — Is It Permissible?

The EDPB in Guidelines 2/2019 indicates that the controller should determine the legal basis before processing begins and should not, in principle, change it. Changing the legal basis during processing is problematic because it violates the transparency principle, may affect data subject rights, and may indicate a lack of thorough assessment.

Exceptionally, a change may be justified — e.g., when the legal situation changes (a new provision imposes a processing obligation). But this requires re-informing data subjects and updating documentation.

Checklist — Legal Bases for Processing

For each processing purpose in the ROPA, check that a specific legal basis is identified.
Ensure the basis is correctly selected (do not use consent where contract is appropriate).
If using legitimate interest — conduct and document a LIA.
If using consent — verify it meets Article 7 GDPR requirements.
If processing special category data — check that an Article 9(2) condition is met.
Check privacy notices — do they state the correct legal basis for each purpose?
Do not combine legal bases — one basis per purpose.
Do not change the legal basis during processing without good reason.
Train HR, marketing, and sales staff — they most often decide on data collection.
Regularly review legal bases — process changes may require updates.

Need Help With Legal Bases?

Correct selection of legal bases is the foundation of GDPR compliance — and an element UODO checks in every audit. At the Law Office of Dr Joanna Maniszewska-Ejsmont, we help companies and institutions analyse and select legal bases for processing — for every process, every purpose, every data category. We conduct Legitimate Interest Assessments (LIAs), verify consent mechanisms, and update documentation.