- GDPR Article 6 lists six lawful bases — at least one must apply to every processing activity
- Consent is not always the safest choice; for contracted services, contract performance is clearer
- You must identify your lawful basis before you start processing — you cannot switch retroactively
- The basis chosen affects which individual rights apply and how they can be exercised
Processing personal data without a lawful basis under GDPR Article 6 is unlawful — full stop. Yet many organisations either skip this step entirely, rely on consent as a catch-all, or document a basis without genuinely applying it. Supervisory authorities treat missing or incorrect lawful basis documentation as a significant compliance failure.
The six lawful bases are not interchangeable. Each carries different obligations and grants data subjects different rights. Choosing the right basis from the outset is foundational to your entire GDPR compliance programme.
Related HubSecure buying path
Compliance CRM guidecompliance CRM for growing companiesCRM moduleHubSpot comparisoncompliance CRM guideGuide Librarybook a workflow demo
Related security, privacy and governance resources
Continue with HubSecure security and trust center, data processing agreement, subprocessors, compliance workflows, governed AI operator.
Related use case
This guide belongs to the Workspace Alternatives and Tool Consolidation Guides cluster. Continue with the product hub for workspace alternatives and tool consolidation.
The six lawful bases explained
Consent
The individual has given clear, specific, informed, and freely given consent. Consent must be as easy to withdraw as to give. It cannot be bundled with other agreements, implied, or pre-ticked. Use consent for marketing communications, optional profile features, or processing that goes beyond what the relationship strictly requires.
Contract performance
Processing is necessary to perform a contract with the individual, or to take steps at their request before entering a contract. This is the primary basis for processing client data in professional services — you hold a client's contact details, KYC information, and matter data because you need to in order to deliver your services. Do not use consent for data that contract performance covers.
Legal obligation
Processing is necessary to comply with a legal obligation under EU or member state law. AML/KYC screening, mandatory reporting obligations, and employment law requirements fall here. This basis does not extend to contractual obligations — those are covered by Article 6(1)(b).
Vital interests
Processing is necessary to protect someone's life. This is a narrow basis, applicable primarily in genuine emergency situations. It is rarely the correct basis for business data processing.
Public task
Processing is necessary for a task carried out in the public interest or in the exercise of official authority. This applies primarily to public authorities, regulators, and bodies exercising delegated public functions. Most private regulated businesses will not use this basis.
Legitimate interests
Processing is necessary for the legitimate interests of the controller or a third party, unless overridden by the interests or fundamental rights of the data subject. This requires a three-part Legitimate Interests Assessment (LIA): identify the legitimate interest; show the processing is necessary; balance it against the individual's interests. Good for fraud prevention, network security, internal analytics, and B2B marketing to existing clients.
How lawful basis affects data subject rights
Your chosen basis directly determines which rights data subjects can exercise:
- Consent: individuals can withdraw consent at any time, triggering a right to erasure in most cases
- Contract performance: the right to object does not apply; but data must be deleted when the contract ends and the retention period expires
- Legal obligation: no right to erasure; the data must be kept to satisfy the obligation
- Legitimate interests: individuals have an absolute right to object; if they object and you cannot override their interests, you must stop processing
Documenting your lawful basis
Your Record of Processing Activities (RoPA) under Article 30 must document the lawful basis for each processing activity. Your privacy notice must also communicate the basis to data subjects. Documenting it after the fact, or relying on a basis you did not genuinely assess at the time, is not compliant.
Can we switch from one lawful basis to another?
In most cases, no. The ICO and EDPB guidance is clear: you cannot switch bases to avoid an obligation that has arisen (e.g., switching from consent to legitimate interests after people withdraw consent). You should identify and document the correct basis before processing begins.
Do we need consent for client data if we have a contract?
No. If you hold client data to perform a contract or a legal obligation, consent is not the appropriate basis — and using it creates obligations (easy withdrawal, right to erasure) that you do not need if the correct basis is contract performance or legal obligation.
Document your lawful bases properly
HubSecure's compliance workspace includes templates for Records of Processing Activities and privacy notices, pre-mapped to your industry and jurisdiction.
Book a demoOfficial sources and further reading
Use these public sources to verify regulatory background and terminology. HubSecure content is product guidance, not legal advice.
Credibility notes
This guide is written for product and operations evaluation, not as legal advice. For compliance obligations, confirm requirements with qualified counsel or the relevant regulator.
Related HubSecure references: Security · DPA · Subprocessors · AML/KYC glossary · RBAC glossary
Reviewed for regulated teams
Prepared by the HubSecure editorial team for operators, compliance leaders and IT reviewers evaluating secure client operations software.