GDPR Article 6: The 6 Lawful Bases for Processing

In one sentence. GDPR Article 6 lists the six lawful bases that authorize the processing of personal data: (a) consent, (b) contract performance, © legal obligation, (d) vital interests, (e) public task / official authority, (f) legitimate interests. At least one must apply for any processing activity to be lawful. Selecting and documenting the correct basis is the first compliance question on every Record of Processing Activity entry.

Every processing of personal data must rest on a lawful basis (Article 6(1) GDPR). Choosing the wrong basis is one of the most-cited causes of CNIL and other DPA sanctions — the CNIL imposed €389M of fines between 2021 and 2025 specifically for unlawful basis or invalid consent. This guide explains each of the six bases, when each applies, and how to document the choice defensibly.

For related deep-dives: GDPR consent wording examples, GDPR legitimate interest guide, Records of Processing template.

Key takeaways

• Article 6(1) lists six exhaustive lawful bases. At least one must apply.
• The bases are not interchangeable — the right choice depends on the actual processing context, not commercial preference.
• The same processing activity uses one lawful basis. Switching mid-processing requires re-authorization.
• For special category data (health, biometrics, etc.), Article 9 adds a second-layer condition on top of Article 6.
• The basis must be identified before processing starts and documented in the Record of Processing Activity.

1. Article 6(1) text and the six bases

GDPR Article 6(1) states:

“Processing shall be lawful only if and to the extent that at least one of the following applies: (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; © processing is necessary for compliance with a legal obligation to which the controller is subject; (d) processing is necessary in order to protect the vital interests of the data subject or of another natural person; (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.”

2. (a) Consent

The most well-known basis, also one of the most fragile. Consent must be freely given, specific, informed, unambiguous, and withdrawable (Article 4(11) + Recital 32). For practical wording, see GDPR consent wording examples.

When to use: marketing emails, optional cookies, optional features the user opts into, sharing data with partners.

When NOT to use: employment relationships (power imbalance invalidates consent), service-essential processing (use contract instead), legal obligations.

3. (b) Contract performance

Processing necessary to perform a contract the data subject is party to, or take pre-contract steps at their request.

When to use: shipping an order, processing a payment, providing the actual service the user signed up for, handling customer support.

Limit: only data strictly necessary for the contract qualifies. “Improving our service” rarely qualifies on its own — see legitimate interest.

4. © Legal obligation

Processing required by EU or Member State law to which the controller is subject.

When to use: tax records (kept for 6-10 years), AML/KYC checks for regulated entities, employee data required by social security law, court orders.

Limit: a contractual obligation isn’t a legal obligation. The law must require the specific processing.

5. (d) Vital interests

Processing necessary to protect the vital interests of the data subject or another person.

When to use: medical emergencies (the unconscious patient at the ER), humanitarian aid, missing persons.

Limit: rarely the right basis for routine processing. EDPB has clarified this is for life-threatening situations, not “important business needs.”

6. (e) Public task

Processing necessary for a task carried out in the public interest or under official authority.

When to use: by public authorities (administrations, public hospitals, public schools) for their statutory missions.

Limit: private companies generally can’t invoke this. Quasi-public bodies (delegated public service missions) may.

7. (f) Legitimate interests

The most flexible — and most contested — basis. Three-part test required (the “balancing test”):

1. Purpose test: is there a legitimate interest pursued?
2. Necessity test: is the processing necessary to achieve it?
3. Balancing test: does the controller’s interest override the data subject’s rights and reasonable expectations?

When to use: fraud prevention, IT security monitoring, B2B prospecting (in some EU countries), basic analytics, internal administration.

When NOT to use: special category data (Article 9 forbids it as standalone basis), processing children’s data without extra care, where consent would be more appropriate (e.g., marketing emails).

The CNIL and EDPB have clarified that invoking legitimate interest without a documented balancing test is itself a sanctionable failure. See GDPR legitimate interest guide.

8. Choosing the right basis: decision matrix

Processing	Recommended basis	Why
Newsletter sign-up	Consent (a)	Marketing, opt-in
Order fulfillment	Contract (b)	Necessary to deliver
Payroll	Legal obligation ©	Tax + social security law
AML/KYC	Legal obligation ©	Regulated by law
Medical emergency	Vital interests (d)	Life-saving
Public school enrollment	Public task (e)	Statutory mission
Fraud detection	Legitimate interests (f)	With balancing test
Job application	Pre-contract steps (b)	At candidate’s request
Behavioral advertising	Consent (a)	High-impact processing
IT security logs	Legitimate interests (f)	With balancing test
Customer support tickets	Contract (b)	Part of service
Internal administration	Legitimate interests (f)	Light, balancing test

9. Special categories of data: Article 6 + Article 9

Processing special category data (health, biometrics, religion, political opinions, sexual orientation, etc.) requires both:

• A lawful basis under Article 6, AND
• An additional condition under Article 9(2) (e.g., explicit consent, employment law, vital interests, important public interest)

For the practical wording, see our GDPR consent wording examples (Section 5 covers Article 9 explicit consent).

10. Documentation requirements

The lawful basis must be:

• Identified before processing starts
• Documented in the Record of Processing Activity (Article 30) — see ROPA template
• Communicated to the data subject in the privacy notice (Articles 13-14)
• Justified if challenged (especially for legitimate interests — keep the LIA on file)

11. Switching the lawful basis

The EDPB (Guidelines 2/2019) clarifies that switching the lawful basis after processing has started is generally not permissible. For example, processing started under consent cannot pivot to legitimate interest if consent is withdrawn — the data must be deleted unless another basis applied from the start.

This is why basis selection is a one-time, documented decision — not a fallback strategy.

12. Sanctions for invalid lawful basis

Article 83(5)(a) GDPR makes failure to identify a valid lawful basis subject to fines of up to €20 million or 4% of global annual turnover. Notable cases:

• Meta Platforms Ireland (DPC, January 2023): €390M for unlawful basis on behavioral advertising (consent vs. contract)
• Google LLC (CNIL, 2019): €50M for inadequate consent on personalized ads
• TIM SpA (Garante, 2020): €27.8M for unlawful processing of marketing data without valid basis

For tooling that automates lawful basis documentation in your ROPA, see Legiscope.

For related context: GDPR consent wording examples, GDPR legitimate interest guide, data privacy compliance guide, Records of Processing template.

Conclusion

GDPR Article 6 looks short — six bullet points — but it is the foundation of every other compliance obligation. Pick the right basis, document why, communicate it transparently, and stick with it. Most of the major GDPR fines trace back to either invalid consent (basis a) or unsupported legitimate interest claims (basis f). The other four bases are narrower in scope but easier to defend when correctly invoked.

FAQ

What are the six lawful bases under GDPR Article 6?

(a) Consent, (b) Contract performance, © Legal obligation, (d) Vital interests, (e) Public task, (f) Legitimate interests. At least one must apply for any processing of personal data to be lawful.

Can I rely on multiple lawful bases simultaneously?

No. Each processing activity should rest on one lawful basis. Listing multiple bases in the privacy notice “just in case” is considered misleading by the EDPB and may itself be a transparency violation.

Is consent always the safest choice?

No — and often it’s the riskiest. Consent must be freely given (excludes employment contexts), specific, informed, unambiguous, and withdrawable. If withdrawn, processing must stop and data deleted. For service-essential processing, contract performance is more appropriate.

Do I need a legitimate interest assessment (LIA)?

If you invoke Article 6(1)(f), yes. The three-part test (purpose, necessity, balancing) must be documented before processing starts. The LIA is the document you’ll be asked for during a CNIL inspection.

What’s the difference between Article 6 and Article 9 GDPR?

Article 6 covers the lawful basis for all personal data processing. Article 9 adds a second condition for processing special categories of data (health, biometrics, religion, etc.). Both must be satisfied to process special categories.