Legal basis
A legal basis is one of the six grounds for lawful processing required under Article 6 GDPR; without at least one of these grounds, any processing of personal data is unlawful.
The GDPR follows the principle of prohibition subject to permission: every processing of personal data is generally forbidden unless it can be based on at least one of the legal bases exhaustively listed in Article 6(1) GDPR. The controller must determine and document the applicable legal basis before processing begins; switching it afterwards is generally not permitted. Choosing the correct legal basis is therefore not a mere formality but a precondition for lawfulness and at the same time the anchor for data subject rights and information obligations.
Article 6(1) sets out six grounds: the data subject's consent (point a), necessity for the performance or initiation of a contract (point b), compliance with a legal obligation (point c), protection of vital interests (point d), performance of a task carried out in the public interest or in the exercise of official authority (point e), and the legitimate interests of the controller or a third party (point f). The latter requires a balancing test in which the legitimate interests must not be overridden by the fundamental rights and freedoms of the data subject. Point f is not available to public authorities in the performance of their tasks.
For special categories of personal data under Article 9 GDPR, a legal basis under Article 6 alone is not sufficient; an exception under Article 9(2) must additionally apply. Where data is processed for a purpose other than the original one, a compatibility assessment under Article 6(4) is required. The chosen legal basis also determines which data subject rights apply: the right to withdraw exists only with consent, the right to object only with points e and f, and the right to data portability only with points a and b. A careful allocation is therefore at the heart of any data protection compliant documentation.
Legal Basis
Article 6(1) GDPR (in conjunction with Article 9(2) GDPR for special categories)
Practical Example
An online retailer processes personal data on several legal bases at once: handling an order and shipping the goods rely on Article 6(1)(b) (performance of a contract), the subsequent retention of the invoice for ten years on point c (commercial and tax obligations), the newsletter dispatch on point a (consent), and fraud prevention at checkout on point f (legitimate interest). The data protection officer assigns the applicable legal basis to each processing activity in the record of processing activities and documents the outcome of the balancing test for point f in writing in order to satisfy the accountability obligation.