Legal Bases for Processing: When You Can Use Personal Data
Under GDPR, every processing activity requires a valid legal basis. Understanding the six available legal bases and when each applies helps organizations build compliant operations from the ground up.
Key Takeaways
| Point | Summary |
|---|---|
| 6 legal bases | Consent, Contract, Legal Obligation, Vital Interests, Public Task, Legitimate Interests |
| Most common for startups | Contract (service delivery), Legitimate Interests (business ops), Consent (marketing) |
| Consent requirements | Freely given, specific, informed, unambiguous, easy to withdraw |
| Legitimate Interests | Requires balancing test (your interest vs. individual's rights) |
| Document before processing | You must identify legal basis before collecting data, not after |
Quick Answer: You need one of 6 legal bases to process personal data. Most startups use: Contract (core service), Legitimate Interests (business operations), and Consent (marketing). Document your legal basis before any processing begins.
The Six Legal Bases
GDPR provides exactly six legal bases for processing personal data. You must identify and document at least one before any processing begins.
- Consent. Individual agrees to specific processing
- Contract. Processing needed to fulfill an agreement
- Legal Obligation. Required by law
- Vital Interests. Protecting someone's life
- Public Task. Official government functions
- Legitimate Interests. Business need balanced against user rights
Legal Basis 1: Consent
Consent is the most well-known basis but has strict requirements.
Requirements for Valid Consent
| Requirement | Meaning |
|---|---|
| Freely Given | No pressure, no bundling with services |
| Specific | Separate consent for different purposes |
| Informed | Clear explanation of what they're agreeing to |
| Unambiguous | Clear affirmative action (no pre-ticked boxes) |
| Withdrawable | Easy to withdraw at any time |
When to Use Consent
Good use cases:
- Marketing emails and newsletters
- Optional cookies and tracking
- Sharing data with third parties
- Processing special category data
- Using data for new, incompatible purposes
Poor use cases:
- Core service functionality (use Contract instead)
- When there's a power imbalance (employer/employee)
- When users have no real choice
Consent Implementation
Collection:
- Clear explanation of processing purpose
- Separate checkboxes for different purposes
- No pre-ticked boxes
- Link to full privacy policy
- Record timestamp and exact wording
Storage:
- Log consent timestamp
- Record version of consent text
- Document how consent was obtained
- Link to user identifier
Withdrawal:
- Easy to find withdrawal option
- As easy to withdraw as to give
- Process withdrawal promptly
- Stop processing after withdrawal
Legal Basis 2: Contract
Use this basis when processing is necessary to fulfill a contract with the individual.
When Contract Applies
| Processing Activity | Contract Basis Valid? |
|---|---|
| Processing order and shipping address | Yes |
| Sending purchase confirmation | Yes |
| Providing the subscribed service | Yes |
| Account creation for service access | Yes |
| Marketing to existing customers | No (see ePrivacy "soft opt-in" below) |
| Sharing with third-party advertisers | No (use consent) |
Key Requirements
- Contract must exist or be about to be entered into
- Processing must be objectively necessary for the contract
- Cannot use to justify processing you simply want to do
- Document the connection between processing and contract
Pre-Contractual Steps
You can also process data for steps at the individual's request before entering a contract:
- Quote requests
- Service inquiries
- Trial account setup
- Application processing
Legal Basis 3: Legal Obligation
Use when processing is required to comply with the law.
Common Legal Obligations
| Obligation | Processing Required |
|---|---|
| Tax Laws | Financial records retention |
| Employment Law | Employee records |
| Anti-Money Laundering | Identity verification |
| Health & Safety | Incident records |
| Court Orders | Disclosed information |
Requirements
- Must be a specific legal requirement (not just "good practice")
- Document the specific law requiring the processing
- Only process what the law requires
- EU or member state law (not foreign laws)
Legal Basis 4: Vital Interests
Use only when processing is necessary to protect someone's life.
When Vital Interests Applies
This is an emergency basis for truly life-threatening situations:
- Medical emergencies
- Humanitarian crises
- Life-threatening situations
Rarely applicable for startups unless you operate in healthcare, emergency services, or similar sectors.
Limitations
- Cannot use when another legal basis is available
- Not for general health and wellness
- Must be genuinely life-threatening
- Document the emergency circumstances
Legal Basis 5: Public Task
Use when processing is necessary for official government functions.
Applicability
This basis is primarily for:
- Government bodies
- Organizations exercising official authority
- Public interest tasks defined in law
Rarely applicable for private startups unless you're contracted to perform public functions.
Legal Basis 6: Legitimate Interests
The most flexible basis, but requires careful balancing.
The Statutory Test (Article 6(1)(f))
Article 6(1)(f) permits processing when necessary for legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, in particular where the data subject is a child.
This is the actual legal requirement. To help organizations conduct this assessment systematically, the European Data Protection Board (EDPB) and its predecessor (Article 29 Working Party) developed a recommended methodology.
The Three-Part Test (EDPB/WP29 Methodology)
While not a statutory requirement, documenting a legitimate interests assessment (LIA) using this three-part framework is recommended practice and demonstrates due diligence:
Part 1: Purpose Test
- What is your legitimate interest?
- Is it lawful and clearly articulated?
- Is it a real and present interest?
Part 2: Necessity Test
- Is processing actually necessary for this purpose?
- Is there a less intrusive way to achieve it?
- Is the processing proportionate?
Part 3: Balancing Test
- What impact does processing have on individuals?
- Would individuals expect this processing?
- What is the nature of the data (sensitive)?
- Are any individuals vulnerable (children)?
- What safeguards can you implement?
- Can individuals object or opt out?
Common Legitimate Interests
| Interest | Typically Valid | Considerations |
|---|---|---|
| Fraud Prevention | Yes | Essential business protection |
| Network Security | Yes | Protecting systems and users |
| Direct Marketing | Sometimes | Works with ePrivacy "soft opt-in" for existing customers; new contacts need consent |
| Analytics | Usually | Aggregate/anonymize where possible |
| Intra-Group Transfers | Usually | Document business necessity |
| Customer Service Improvement | Usually | Reasonable expectation |
| Legal Claims | Yes | Establishing/defending claims |
Legitimate Interests Limitations
Cannot use for:
- Processing that overrides individual rights
- Special category data (requires a separate Article 9(2) basis—see below)
- When consent was refused
- When there's significant impact on individuals
Special Category Data: Article 9(2) Bases
Special category data (health, biometric, racial/ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, sex life/orientation) cannot be processed under legitimate interests. Article 9(2) provides 10 specific bases:
| Basis | When It Applies |
|---|---|
| Explicit consent | Individual explicitly agrees to the specific processing |
| Employment/social security law | Required for employment or social protection obligations |
| Vital interests | Protecting life when individual cannot consent |
| Legitimate activities of foundations/associations | Non-profits processing members' data with appropriate safeguards |
| Manifestly public data | Individual has clearly made the data public themselves |
| Legal claims | Establishing, exercising, or defending legal claims |
| Substantial public interest | Processing necessary for reasons of substantial public interest |
| Medical/health purposes | Healthcare, occupational medicine, health system management |
| Public health | Protecting against cross-border health threats, ensuring quality of care |
| Archiving/research purposes | Scientific, historical research, or statistical purposes with safeguards |
Key point: Explicit consent is just one option. Many organizations processing health data, for example, rely on the medical purposes basis rather than consent.
Choosing the Right Legal Basis
Use this decision framework:
Is processing required by law?
- Yes → Legal Obligation
Is there a contract requiring this processing?
- Yes → Contract
Do you want to ask permission?
- Yes → Consent
Do you have a genuine business need?
- Yes → Consider Legitimate Interests (complete LIA assessment, implement safeguards, provide opt-out)
Is this a life-threatening emergency?
- Yes → Vital Interests
Are you a public authority?
- Yes → Public Task
Documenting Your Legal Basis
For each processing activity, document:
| Element | Documentation Required |
|---|---|
| Processing Activity | Clear description of what you're doing |
| Data Categories | Types of personal data involved |
| Legal Basis | Which of the six bases applies |
| Justification | Why this basis is appropriate |
| For Consent | How obtained, timestamp, version |
| For Legitimate Interests | Full LIA assessment |
| For Legal Obligation | Specific law reference |
Common Startup Scenarios
| Scenario | Recommended Legal Basis |
|---|---|
| User account creation | Contract |
| Service delivery | Contract |
| Purchase transactions | Contract |
| Marketing emails (new users) | Consent |
| Marketing (existing customers) | ePrivacy "soft opt-in"* + Legitimate Interests |
| Analytics | Legitimate Interests |
| Essential cookies | Legitimate Interests/Contract |
| Marketing cookies | Consent |
| Fraud prevention | Legitimate Interests |
| Sharing with ad networks | Consent |
**The existing customer marketing exemption derives from ePrivacy Directive Article 13(2), not GDPR alone. This permits marketing without prior consent only when: (1) contact details were obtained from a sale, (2) marketing is for similar products/services, and (3) an easy opt-out is provided at every contact. National implementations vary—check local law. See also GDPR Recital 47.*
How Bastion Helps
Selecting and documenting legal bases requires careful analysis of your specific processing activities. Working with experienced partners helps ensure your approach is defensible and well-documented.
| Challenge | How We Help |
|---|---|
| Basis Selection | Expert guidance on choosing appropriate bases for your use cases |
| LIA Documentation | Templates and support for legitimate interests assessments |
| Consent Management | Implementation of compliant consent mechanisms |
| Audit Trail | Streamlined documentation and evidence collection |
| Ongoing Review | Regular reviews to ensure legal bases remain appropriate as your business evolves |
Having additional expertise helps get these foundational decisions right the first time, avoiding the need for costly corrections when issues surface during audits or regulatory inquiries.
Questions about legal basis selection for your processing activities? Talk to our team →