Article 6 lists the six legal bases that data controllers can use to justify their use of personal data. Without a legal basis, processing cannot be done lawfully under the GDPR.
The six available legal basis for processing are:
- performance of a contract (including steps to conclude a contract);
- legal obligation;
- vital interest of the data subject or another individual;
- task of public interest; and/or
- legitimate interest of the controller.
The controller needs to determine which legal basis to use before they start the processing of data. Which legal basis that is the most appropriate depends on the context of your processing. The purpose of the processing and the relation to the data subjects are two factors that should be considered when choosing a legal basis.