Quiz Entry - updated: 2026.07.05
What are the six lawful bases for processing personal data under GDPR Article 6?
Processing is only lawful if it rests on one of six grounds: consent, contract, legal obligation, vital interests, public task, or legitimate interests.
Under the GDPR, you may not touch personal data unless at least one of these applies:
- Consent — the person freely, specifically, and unambiguously agreed.
- Contractual necessity — needed to perform a contract with the person (e.g. shipping an order).
- Legal obligation — required by law (e.g. retaining invoices for tax).
- Vital interests — to protect someone's life (e.g. emergency medical care).
- Public task — carried out in the public interest or official authority.
- Legitimate interests — a genuine business interest that isn't overridden by the person's rights (requires a balancing test).
The crucial point: consent is only one of six — organisations often over-rely on it when "contract" or "legitimate interests" is the cleaner, more honest basis. You must pick and document your basis before processing, and you can't silently switch later.
Tip: No lawful basis = no processing. "We had the data lying around" is never a basis.
Go deeper:
GDPR Article 6 — Lawfulness of processing — the authoritative text of all six bases.