One of the most frequent errors we identify when helping companies comply with Regulation (EU) 2016/679 (GDPR) is confusion between the different lawful bases for processing. Many organisations default to consent out of habit, without considering whether a more solid basis exists, or invoke legitimate interest without having carried out the required balancing test. Both situations can result in unlawful processing, with the consequences set out in Article 83 GDPR.
This article analyses the six lawful bases of Article 6(1) GDPR, explains when each applies with concrete examples, and details the three-step balancing test that the Spanish Data Protection Authority (AEPD — Agencia Española de Protección de Datos) and the European Data Protection Board (EDPB) require in order to rely on legitimate interest.
Why choosing the right lawful basis is not a bureaucratic formality
Article 6(1) GDPR establishes that every processing of personal data must be covered by at least one valid lawful basis. Without a lawful basis, processing is unlawful. Moreover, the lawful basis is not interchangeable: if a company collected consent for a specific processing activity and later wishes to change its basis, it must analyse this carefully, because in many cases doing so would mean acknowledging either that the original consent was unnecessary — or that the data were processed without a valid basis for a period of time.
In addition, the choice of lawful basis determines which data subject rights apply. For example, the right to data portability (Art. 20 GDPR) exists only where processing is based on consent or a contract. The specific right to object under Article 21(1) — distinct from the right to object to direct marketing processing — exists only where processing is based on legitimate interest or public interest. Getting the basis wrong is not a formality: it shapes the rights regime available to individuals.
The six lawful bases under Article 6(1) GDPR
Article 6(1) sets out an exhaustive list of the enabling bases. There are no others beyond these six:
| Letter | Lawful basis | Typical scenario | Right to object | Right to portability |
|---|---|---|---|---|
| a) | Consent of the data subject | Marketing newsletter, analytics cookies, personalised advertising | No (but consent can be withdrawn) | Yes (Art. 20 GDPR) |
| b) | Performance of a contract or pre-contractual measures at the request of the data subject | Order management, account registration, payroll processing | No | Yes (Art. 20 GDPR) |
| c) | Compliance with a legal obligation | Accounting and tax compliance, anti-money-laundering obligations, employment law requirements | No | No |
| d) | Protection of vital interests of the data subject or another person | Disclosure of health data in medical emergencies | No | No |
| e) | Public interest or exercise of official authority | Public authorities, universities, bodies acting in the public interest | Yes (Art. 21(1) GDPR) | No |
| f) | Legitimate interests of the controller or a third party | CCTV on premises, fraud prevention, direct marketing to existing customers | Yes (Art. 21(1) GDPR) | No |
Basis a): consent and its strict requirements
Consent is, paradoxically, the weakest lawful basis under Article 6(1), even though it is the best known. Article 7 GDPR and Recital 32 set very precise conditions: consent must be freely given, specific, informed, and unambiguous. It is not enough for the data subject to have failed to tick an opt-out box; a positive, affirmative act is required.
Consent is not freely given when:
- Giving it is a condition for accessing a service that could be provided without that processing (tied or bundled consent).
- There is a clear imbalance of power between the controller and the data subject (the employer-employee relationship is particularly sensitive).
- Withdrawing it has disproportionate consequences for the data subject.
Furthermore, consent may be withdrawn at any time and as easily as it was given (Art. 7(3) GDPR). This requires technical withdrawal mechanisms to be as accessible as the collection mechanism. If obtaining consent takes a single click but revoking it means sending an email and waiting for a reply, the mechanism does not meet the GDPR standard.
Consent is the appropriate basis when processing cannot be justified by a more solid basis — for example, sending commercial communications to people who are not existing customers, or using non-strictly-necessary cookies. For most routine business processing activities, a more appropriate basis usually exists.
Basis b): the contract — the most underused basis
Article 6(1)(b) GDPR covers processing that is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract. This basis covers, without the need for consent, all data that are genuinely necessary to deliver the contracted service.
The key lies in the word necessary: the processing must be objectively necessary for the contractual purpose, not merely convenient or useful for the controller. The AEPD and the EDPB (in their guidelines on the contractual basis) have emphasised that this basis cannot be invoked for processing that goes beyond the core of the contract, such as profiling user behaviour or sharing data with third parties for their own purposes.
Clear examples of processing covered by basis b): order management in e-commerce, account creation and management, invoicing, customer communications about service delivery, payroll processing, and employment relationship management.
Basis c): legal obligation — the most resistant to challenge
Where a statutory provision obliges the controller to process certain data, the lawful basis is compliance with a legal obligation (Art. 6(1)(c) GDPR). This basis requires no consent from the data subject and cannot be blocked by them through the exercise of the right to object.
Common processing activities on this basis: retention of invoices for the period required by the General Tax Act (four years), reporting obligations to the Spanish Tax Agency (form 347, withholdings, etc.), notification of workplace accidents to the Labour Authority, anti-money-laundering obligations under Law 10/2010, and disclosure to law enforcement bodies where required by applicable rules.
Bases d) and e): vital interests and public interest
Basis d) — protection of vital interests — is reserved for emergency situations in which the data subject cannot give consent and their physical integrity or that of another person is at stake. Its application in the ordinary business context is very restricted.
Basis e) — public interest or exercise of official authority — applies primarily to public authorities, bodies governed by public law, and, in certain cases, private entities carrying out legally recognised functions in the public interest. An ordinary private company cannot invoke this basis in a general manner.
Basis f): legitimate interest and the three-step balancing test
The legitimate interest of the controller or a third party (Art. 6(1)(f) GDPR) is the most flexible basis but also the one that demands the greatest rigour in its justification. It cannot be invoked with a generic formula in a privacy policy; it requires a documented analysis demonstrating that the balancing between the controller's interest and the data subject's rights was carried out correctly.
Recital 47 of the GDPR and the EDPB Guidelines 1/2024 (updating WP29 Opinion 06/2014, WP217) structure this balancing exercise into three successive steps, all of which are mandatory:
Step 1 — Legitimate interest test: is there a real and legitimate interest?
The interest must be real (not speculative), present (not future or hypothetical), and legitimate (consistent with the legal framework and the values of the GDPR). Examples recognised by the AEPD and the EDPB: fraud prevention, network and information security, direct marketing to existing customers with similar products, CCTV for the protection of premises, and intra-group data transfers for internal administrative purposes.
Step 2 — Necessity test: is the processing necessary for that interest?
Processing is only lawful if it is necessary to achieve the identified legitimate interest. This means verifying that no alternative method, equally effective but less intrusive for data subjects' rights, exists. If the same goal can be achieved with anonymised or pseudonymised data, or with a smaller dataset, the legitimate interest basis will not survive this step.
Step 3 — Balancing test: does the legitimate interest override the data subject's rights?
This is the core analysis. The controller must weigh its legitimate interest against the interests, rights, and fundamental freedoms of the data subject, taking into account:
- The nature of the data (especially whether they constitute special categories).
- The data subject's reasonable expectations in the context of the relationship (a customer expects communications about their purchases, not about their browsing habits on other websites).
- The potential impact of the processing (scope and severity of possible harm).
- The safeguards applied (encryption, pseudonymisation, access restrictions, retention periods).
- The ability to exercise the right to object effectively.
If the analysis concludes that the data subject's rights prevail, the processing cannot be based on legitimate interest. The organisation must seek another lawful basis — usually consent — or refrain from the processing altogether.
At Summum Consultoría we support organisations in their GDPR compliance journey, including drafting the documented legitimate interest assessment for each processing activity that requires one.
Consent vs. legitimate interest: when to choose each
The most common practical confusion is the one between consent (basis a) and legitimate interest (basis f). The following guidance helps to make the right choice:
- Use consent when the processing is not necessary for the contractual relationship, is not imposed by law, cannot be justified by legitimate interest (because the impact on the data subject is high or their reasonable expectations run counter to the processing), and the data subject can decide freely without negative consequences for the service they receive. Example: sending a newsletter to a visitor who is not an existing customer.
- Use legitimate interest when there is a real and proportionate interest, the processing is necessary, the data subject can reasonably expect that processing in the context of the relationship, and the impact on their rights is limited or offset by adequate safeguards. Example: informing existing customers about new products similar to those already purchased (with an active right to object offered in each communication).
A common misconception is that legitimate interest is more "convenient" because it avoids collecting consent. In practice, legitimate interest demands more documentation work and is more vulnerable to challenge if it is not properly substantiated. Well-managed consent, in the cases where it applies, is a solid and transparent basis.
Examples of lawful basis by type of processing
The following list illustrates how to apply Article 6(1) GDPR to processing activities common in an SME or mid-sized company:
- Payroll and employment relationship management: bases b) (employment contract) and c) (labour law and social security obligations). No consent required.
- Invoicing and accounting: bases b) and c) (tax obligations). No consent required.
- Customer support for issues relating to the contracted service: basis b). No consent required.
- CCTV on own premises: basis f) (legitimate interest in the security of the premises and staff), provided the balancing test is passed. Appropriate signage required.
- Newsletter sent to subscribers who are not customers: basis a) (consent). Requires active opt-in and an immediate unsubscribe mechanism.
- Direct marketing to existing customers about similar products: basis f) (legitimate interest), consistent with Recital 47 GDPR and the LOPDGDD (Ley Orgánica 3/2018, de 5 de diciembre, de Protección de Datos Personales y garantía de los derechos digitales — the Spanish implementing act). Requires offering the right to object in every communication.
- Behavioural profiling for advertising purposes: basis a) (consent), given the high privacy expectations and significant impact on data subjects.
- Internal fraud prevention: basis f) (legitimate interest), with proportionate safeguards and access restrictions.
- Disclosure of employee data to mutual insurance funds or the INSS (social security institute): basis c) (legal obligation under social security and occupational risk prevention law).
How to document the lawful basis: the record of processing activities
Article 30 GDPR requires controllers to maintain a record of processing activities (RoPA). The data to be included expressly covers the lawful basis for each processing activity (Art. 30(1)(b) GDPR). This record is the first document the AEPD requests when opening an inspection or investigation.
For processing based on legitimate interest, the RoPA must be accompanied by the documented balancing assessment, to demonstrate that it was carried out before the processing began and not drafted ex post as a reactive justification. Prior documentation is, in practice, the only evidence that demonstrates proactive diligence.
If your organisation does not have an up-to-date record of processing activities or has not documented the lawful basis for each processing activity, Summum Consultoría's GDPR compliance service provides end-to-end support for companies in Castilla y León and the Canary Islands: from processing mapping to drafting the RoPA and the balancing assessments.
Frequently asked questions
Can I change the lawful basis for an ongoing processing activity?
As a general rule, it is not possible to change the lawful basis retroactively and without informing the data subjects. Any change must be justified, compatible with the original purpose of the processing (Art. 6(4) GDPR), and accompanied by an update of the information provided to data subjects. If the change involves a purpose that is incompatible with the original, the data subject's consent is required, or there must be an explicit statutory authorisation. The AEPD has fined companies that changed their lawful basis in an opaque manner or without adequate notice to data subjects.
Can legitimate interest be used for any commercial processing activity?
No. Legitimate interest requires passing the three-step balancing test. In the field of marketing, Recital 47 GDPR expressly recognises the possibility of relying on legitimate interest for commercial communications to existing customers about their own similar products or services. However, it does not cover, without more, mass mailing to third-party databases, large-scale behavioural profiling, or sharing data with third parties for their own commercial purposes.
What happens if my privacy policy states an incorrect lawful basis?
The information provided to data subjects about the lawful basis is a requirement under Article 13 GDPR. Stating an incorrect basis constitutes a breach of the transparency obligation, which may be subject to sanctions under Article 83(5) GDPR, with fines of up to EUR 20,000,000 or 4% of total worldwide annual turnover. Beyond the fine, if the stated basis does not reflect the actual basis, the processing as a whole could be deemed unlawful. Periodically verifying that the actual processing activities match the declared lawful basis is part of any serious GDPR compliance programme.
Can employee consent be a valid basis for processing their data?
As a general rule, no. The EDPB and the AEPD have repeatedly stated that employee consent rarely meets the requirement of being freely given, given the inherent power imbalance in the employment relationship. An employee who fears reprisals for refusing to consent is not giving consent freely. Accordingly, processing of employee data must be based, as appropriate, on basis b) (employment contract), c) (legal obligations under labour law and social security law), or f) (legitimate interest with a balancing test). Consent is only valid in clearly voluntary situations that are genuinely unconnected to the conditions of employment.