Lawful Basis

What Is a Lawful Basis?

The GDPR prohibits processing of personal data unless the controller can rely on at least one of six lawful bases listed in Article 6. The lawful basis must be identified before processing begins and disclosed in the privacy notice. Without a valid lawful basis, processing is unlawful regardless of how secure or beneficial it may be. The choice of basis affects data subject rights and the scope of permissible processing.

The Six Lawful Bases Under Article 6

• **Consent**: freely given, specific, informed, unambiguous indication of agreement - **Contract**: necessary for performance of a contract with the data subject or pre-contractual steps - **Legal obligation**: necessary to comply with a legal obligation of the controller (excluding contractual obligations) - **Vital interests**: necessary to protect the vital interests of the data subject or another natural person - **Public task**: necessary for the performance of a task carried out in the public interest or in the exercise of official authority - **Legitimate interests**: necessary for the legitimate interests of the controller or a third party, except where overridden by data subject rights

Special Category Data

Processing of special category data (Article 9) — race, ethnicity, political opinions, religious beliefs, trade union membership, genetic data, biometric data for identification, health data, sex life, and sexual orientation — requires both an Article 6 lawful basis and an additional Article 9 condition such as explicit consent, employment law, vital interests, public health, or scientific research. Consent must be revocable, and reliance on consent for employment relationships is generally disfavored because of the power imbalance. Legitimate interests requires a balancing test documenting that the controller's interests are not overridden by data subject rights.