LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

What are the six lawful bases for processing personal data under GDPR Article 6?

Processing is only lawful if it rests on one of six grounds: consent, contract, legal obligation, vital interests, public task, or legitimate interests.

Under the GDPR, you may not touch personal data unless at least one of these applies:

  1. Consent — the person freely, specifically, and unambiguously agreed.
  2. Contractual necessity — needed to perform a contract with the person (e.g. shipping an order).
  3. Legal obligation — required by law (e.g. retaining invoices for tax).
  4. Vital interests — to protect someone's life (e.g. emergency medical care).
  5. Public task — carried out in the public interest or official authority.
  6. Legitimate interests — a genuine business interest that isn't overridden by the person's rights (requires a balancing test).

The crucial point: consent is only one of six — organisations often over-rely on it when "contract" or "legitimate interests" is the cleaner, more honest basis. You must pick and document your basis before processing, and you can't silently switch later.

Tip: No lawful basis = no processing. "We had the data lying around" is never a basis.

Go deeper:

From Quiz: PRIVACY / Data Anonymization — k-Anonymity, l-Diversity & Re-identification | Updated: Jul 05, 2026