The Six GDPR Lawful Bases: How to Choose the Right One
## The short answer
Under GDPR you cannot process personal data unless you have a valid "lawful basis". There are six to choose from, and you must identify the right one *before* you start processing, not after. The six are: consent, contract, legal obligation, vital interests, public task, and legitimate interests. No single basis is better than the others — the correct one depends on why you are using the data and your relationship with the person.
Choosing well matters because the basis you pick affects which rights people have. For example, if you rely on consent, people can withdraw it; if you rely on legitimate interests, they can object and you must weigh their objection.
## The six bases explained
**1. Consent.** The person has given clear, specific, freely given permission. Best for things people genuinely choose, like marketing emails. Consent must be as easy to withdraw as to give, and pre-ticked boxes do not count.
**2. Contract.** Processing is necessary to deliver a contract the person is party to, or to take steps at their request before entering one. Using a delivery address to fulfil an order is the classic example.
**3. Legal obligation.** You must process the data to comply with the law — for instance, keeping payroll records for tax purposes.
**4. Vital interests.** Processing is necessary to protect someone's life. Rare in ordinary business, typically relevant in emergencies.
**5. Public task.** Processing is necessary to perform a task in the public interest or under official authority. Mostly relevant to public bodies.
**6. Legitimate interests.** Processing is necessary for your (or a third party's) legitimate interests, provided those are not overridden by the person's rights. The most flexible basis, but it requires you to do and document a balancing test.
## How to choose
Work through this order of questions:
1. **Are you legally required to process this data?** If yes, use legal obligation.
2. **Is the processing necessary to fulfil a contract with the person?** If yes, use contract.
3. **Is it for marketing or something people should actively opt into?** Consent is usually the safest, and electronic marketing rules often require it anyway.
4. **Is it a reasonable use the person would expect that benefits your business without harming them?** Legitimate interests may fit — but document the balancing test.
5. **Are you a public authority carrying out official functions?** Public task may apply.
A single activity should have one primary basis. Avoid the temptation to list several "just in case" — that confuses people and weakens your position.
## The legitimate interests balancing test
If you rely on legitimate interests, you should run a three-part assessment and keep a note of it:
- **Purpose:** What is the legitimate interest you are pursuing?
- **Necessity:** Is the processing actually needed, or could you achieve the goal another way?
- **Balance:** Do the person's interests, rights and reasonable expectations override yours?
If the balance tips against you — for example, the processing is intrusive or unexpected — you cannot rely on this basis.
## Common mistakes to avoid
- **Defaulting to consent for everything.** Consent is often the hardest basis to maintain because it can be withdrawn. For order fulfilment, contract is simpler and sturdier.
- **Switching bases later.** You should pick the right basis up front and stick to it. Swapping basis after the fact, especially away from consent, undermines trust and is hard to justify.
- **Treating legitimate interests as a free pass.** It is flexible, not unlimited. Without the balancing test, it offers little protection.
- **Forgetting special category data.** Sensitive data needs an additional condition on top of your lawful basis.
## Document your decisions
For each processing activity, record the basis you chose and a one-line reason. This becomes invaluable when answering a customer query or an ICO question, and it forces clarity about why you hold each piece of data. Building this discipline in from the start is exactly the kind of structured, defensible approach we take when designing enterprise-grade products at neart.ai.
## Practical takeaway
Make a simple table: one row per processing activity, with columns for the purpose, the lawful basis, and a short justification. Use contract for fulfilling orders, legal obligation for statutory records, consent for marketing, and legitimate interests (with a balancing test) for sensible business uses people would expect. Decide once, write it down, and you have most of your lawful-basis compliance handled.