Demonstration
To process your request, we need to process your personal data. Find out more about the processing of your personal data here.

Under the GDPR, all processing of personal data must be based on a clearly defined legal basis. Without a legal basis, no collection, use Data retention or Data retention can be considered lawful. This principle underpins all compliance: it ensures that processing serves a legitimate, proportionate, and transparent purpose for the individuals concerned.

The choice of legal basis determines the implementation of processing,access to data, the obligations of the controller, and the compatibility of the purposes pursued with the GDPR. Understanding this concept is therefore essential for any organization wishing to secure its processing operations.

Photo illustrating a company meeting on the legal basis of GDPR.

What is a legal basis under the GDPR

The legal basis is the legal definition that authorizes a data controller to use personal data.Article 6 of GDPR lists the situations in which processing is lawful. It must be determined before any data is collected, and imposes an obligation on the data controller to justify their actions in the event of an inspection or court ruling.

This principle ensures that data is only processed for specific purposes, in accordance with the legal and fair nature of the processing, whether it be a contract, an obligation, or the consent of the individuals concerned.

The six legal bases provided for by the GDPR lawful data processing

The GDPR six possible legal bases. The choice depends exclusively on the Purpose of the processing.

1. Consent

The person gives their free, informed, specific, and unambiguous consent. In other words, the person has consented to the processing.

  • Example: voluntary subscription to a newsletter.

2. Performance of the contract

Processing is necessary for the performance of a contract to which the individual is party or in order to take steps at the individual's request prior to entering into a contract.

  • Example: processing data to create a client account, data required for the delivery of an order.

3. Legal obligation

The data controller must process the data in order to comply with a legal obligation.

  • Example: Data retention invoices for accounting purposes.

4. Vital interests

Processing is necessary to protect the life or physical integrity of a person.

  • Example: transmission of medical information in an emergency.

5. The public interest mission

Applicable to organizations performing a public or regulatory function.

  • Example: managing an electoral register.

6. Legitimate interest

Legitimate interest may be used as a legal basis when processing is necessary for the purposes of the controller, subject to the imbalance to the detriment of individuals and their fundamental rights.

  • Example: securing computer systems.
Image illustrating the checkboxes to be filled in for a legal basis that complies with GDPR

Lawfulness of processing: How to choose the appropriate legal basis?

The choice must always be made based on the Purpose, not on what seems easiest or most convenient for the company. Some key principles:

  • One Purpose one legal basis.
  • Consent is not a "safety net": it is only valid if it is free and revocable.
  • Legitimate interest requires in-depth analysis.
  • A legal obligation can only be invoked if it is actually imposed by a text.
  • The contract covers only what is strictly necessary for its performance by the person or by another person authorized by them.

An error in the legal basis can render the entire processing unlawful.

Healthcare & GDPR 9 best practices for compliance in 2025

Sensitive data, hosting providers, DPOs, consent... This practical guide helps healthcare professionals anticipate GDPR requirements.
Download

Why is the choice of legal basis strategic?

The legal basis directly influences:

  • Fundamental rights of individuals (e.g right to object if there is a legitimate interest, right to withdraw if consent has been given).
  • Permitted Data retention periods and compatibility of purposes.
  • The content of the privacy policy.
  • Evidence to be provided in the event of an inspection by CNIL (National Commission for Information Technology and Civil Liberties).
  • The risks of non-compliance if the basis is poorly chosen.

It therefore impacts both legal aspects and operational practices.

How can the legal basis be justified and documented?

The GDPR on the principleof accountability: the data controller must be able to demonstrate compliance at any time. This implies:

  • Document the legal basis in the processing register.
  • Keep related evidence (e.g proof of consent).
  • Update documentation in the event of changes to treatment.
  • Regularly check the relevance of the chosen database.

Clear documentation facilitates audits, reduces risks, and reassures partners.

Exchange between two people regarding the legal basis of GDPR.

Common risks and errors

Certain non-compliances are common:

  • Invalid or ambiguous consent;
  • Abuse of legal obligation;
  • Misunderstanding of legitimate interest;
  • Multiple or interchangeable use of legal bases;
  • Lack of evidence or justification in the event of an inspection.

These errors can result in penalties, reputational damage, and operational difficulties.

Conclusion

The legal basis is one of the pillars of GDPR. Choosing it carefully, documenting it, and keeping it up to date is essential to ensure the lawfulness of processing, protect individuals' rights, and secure the organization's activities.

By mastering this concept, companies adopt a proactive, structured, and responsible approach that is fully aligned with GDPR requirements GDPR growing expectations in terms of data protection.

Samia Rahammia
Samia Rahammia

IT and Data Lawyer and Marketing Project Manager