Skip to content
GDPR Obligations calendar_today Updated: 6 April 2026 schedule 5 min read

The 6 GDPR Legal Bases: When Can You Process Personal Data?

The GDPR provides 6 legal bases for processing personal data. This article explains them practically for SMEs, with concrete examples and the most common mistake: asking consent for everything.

summarize Key Takeaways
  • check_circle Every processing of personal data requires a legal basis - without one, the processing is unlawful
  • check_circle For SMEs, four legal bases are most relevant: consent, contract, legal obligation, and legitimate interest
  • check_circle The most common mistake: asking consent for everything, when another basis would be more appropriate
  • check_circle Choose your legal basis in advance and document it in your processing register

The GDPR is crystal clear on this point: you may only process personal data if you have a valid legal basis. Article 6 of the GDPR gives you six options. None of the six apply? Then you simply cannot process the data.

Sounds strict, but in practice it is manageable. Most SMEs deal with no more than three or four legal bases. Below we walk through all of them, with concrete examples so you can immediately determine which ones apply to your processing activities.

When: someone gives you their voluntary, specific, and unambiguous consent.

Example: a website visitor subscribes to your newsletter. You place marketing cookies only after someone clicks “accept.”

Note: consent must be truly free. A pre-ticked box does not count. The data subject can withdraw consent at any time, after which you must immediately stop that processing. This makes consent a fragile basis.

2. Performance of a contract

When: the processing is necessary to perform a contract or to take steps at the data subject’s request before entering into a contract.

Example: a customer places an order in your webshop. You need their name, address, and payment details to process and deliver the order. That is permitted because it is necessary for performing the purchase agreement.

Note: this only covers processing that is truly necessary for the contract. Shipping the order? Yes. Adding the customer’s email to your marketing list? No, that falls outside the contract.

When: the law requires you to process or retain certain data.

Example: your accounting records. Tax authorities require you to keep invoices for 7 years, including the customer details on them. Your payroll administration contains national identification numbers because the law requires it.

Note: you can only rely on a concrete, specific legal obligation. “It seemed like a good idea” is not a legal obligation.

4. Vital interest

When: the processing is necessary to protect someone’s life.

Example: a visitor at your premises suffers a heart attack and you share their medical information with the ambulance service.

In practice, this basis is rarely relevant for most SMEs. You only encounter it in healthcare or emergency situations.

5. Public interest or public authority

When: the processing is necessary for a task carried out in the public interest or in the exercise of official authority.

Example: a municipality processing personal data for population registry purposes.

As an SME, you will almost never need this basis. This is the domain of government bodies and public institutions.

6. Legitimate interest

When: you have a legitimate interest that outweighs the privacy interests of the data subject.

Example: you analyse visitor statistics on your website to understand which pages are popular. Or you install cameras at your premises for burglary prevention. Or you send an existing customer an email about a similar product (soft opt-in).

Note: you must conduct a balancing test. Your interest must outweigh the impact on the data subject’s privacy. Document this assessment, as the supervisory authority may ask for it.

The four bases SMEs use most

In practice, these are the legal bases SMEs use most frequently:

ProcessingLegal basis
Sending a newsletterConsent
Placing marketing cookiesConsent
Processing an orderContract
Preparing a quoteContract
Retaining invoices (7 years)Legal obligation
Payroll administrationLegal obligation
Website analyticsLegitimate interest
IT security/loggingLegitimate interest

Many SME owners think: “if I ask consent for everything, I’m covered.” This is a misunderstanding that can get you into trouble.

Why? Because consent can be withdrawn at any time. If a customer withdraws consent for a processing activity where you actually had a better basis (such as contract or legal obligation), you still have to stop - even though you could have lawfully continued.

Example: you ask consent to put customer details on an invoice. The customer withdraws consent. Now you have a problem, because tax law requires you to keep those details. Had you chosen “legal obligation” as your basis from the start, there would be no issue.

The rule of thumb: only use consent when no other basis is available. And when you do ask for consent, make sure withdrawing it is just as easy as giving it.

  1. Processing register - record which legal basis you use per processing activity
  2. Privacy policy - state the basis per processing purpose
  3. Balancing test - for each processing based on legitimate interest, write a brief assessment

Tip: choose your legal basis before you start processing, not afterwards. Retroactively finding a basis that fits what you are already doing is not how the GDPR works, and it is exactly what supervisory authorities check during inspections.

auto_awesome Do you know which legal bases you use?

GDPRWise helps you choose the right legal basis per processing activity and automatically documents everything in your processing register and privacy policy.

GW
GDPRWise Editorial

This article was written by the GDPRWise team and reviewed by our privacy experts. We regularly review our content for accuracy and legal correctness.