Lawful Basis

Under GDPR Article 6, every processing activity must have a lawful basis. The six lawful bases are: consent (clear, informed, affirmative agreement), contract (necessary for performing a contract), legal obligation (necessary to comply with law), vital interests (necessary to protect someone's life), public task (necessary for a task in the public interest), and legitimate interests (necessary for legitimate interests unless overridden by individual rights). The choice of lawful basis affects which rights are available to data subjects. For example, the right to data portability only applies when the lawful basis is consent or contract. Organizations must determine and document the lawful basis before processing begins, and cannot change the lawful basis retrospectively.