Can I rely on more than one lawful basis for the same processing activity?

No. The GDPR requires you to identify a single lawful basis for each specific processing activity. You cannot hedge by claiming both consent and legitimate interests for the same data use. If your chosen basis fails -- for example, consent is withdrawn -- you cannot retroactively switch to a different one unless the processing purpose itself has changed.

Do I need consent for all cookies on my website?

Not all cookies require consent. Strictly necessary cookies -- those essential for a service the user has explicitly requested, such as session cookies or security tokens -- are exempt under Article 5(3) of the ePrivacy Directive. Analytics, advertising, and most functional cookies do require prior, informed consent before they are set.

Is legitimate interests a valid lawful basis for setting analytics cookies?

Under the GDPR alone, you might argue a legitimate interest in understanding website traffic. But the ePrivacy Directive imposes a separate consent requirement for storing information on a user's device. Since the ePrivacy Directive is a lex specialis, you still need consent for analytics cookies regardless of your GDPR lawful basis.

What is a Legitimate Interests Assessment and do I have to write one?

A Legitimate Interests Assessment (LIA) is a documented evaluation of the three-part test: identifying your interest, demonstrating necessity, and balancing your interest against the data subject's rights. There is no prescribed format, but you must be able to produce this documentation if a supervisory authority requests it. The EDPB's 2024 guidelines reinforce that this assessment is not optional.

What happened to Meta when it chose the wrong lawful basis?

In January 2023, Meta was fined EUR 390 million by the Irish DPC after the EDPB ruled that performance of a contract was not a valid lawful basis for processing personal data for personalised advertising on Facebook and Instagram. Meta was given three months to bring its processing into compliance.

Does the lawful basis affect which data subject rights apply?

Yes. The lawful basis you choose determines which rights data subjects can exercise. The right to data portability (Article 20) only applies when processing is based on consent or contract. The right to object (Article 21) applies to processing based on legitimate interests or public task, and is absolute when the processing relates to direct marketing.

Can I change my lawful basis after I have started processing?

Only if your processing purpose genuinely changes and a new assessment confirms a different basis is more appropriate. Switching lawful bases purely because the original one has become inconvenient is not permitted. Any change must be documented and communicated to data subjects.

GDPR Lawful Basis for Processing: 6 Legal Grounds Explained

Every time your website collects an email address, drops a cookie, or logs a page visit, you are processing personal data. Under Article 6(1) of the GDPR, that processing is unlawful unless it rests on one of six specific legal grounds. Pick the wrong one -- or fail to pick one at all -- and you face enforcement action, fines, and an order to stop processing entirely.

This is not a theoretical risk. The most fines issued under the GDPR to date have been for processing activities that lacked a sufficient legal basis. According to the CMS GDPR Enforcement Tracker Report published in 2025, data protection authorities across Europe had recorded over 2,245 fines by March 2025, totalling roughly EUR 5.65 billion. The single most common category of violation? Insufficient legal basis for processing.

What Article 6 Actually Says

Article 6(1) of the GDPR lists six -- and only six -- lawful bases for processing personal data. There is no seventh option, no catch-all fallback, and no general "business need" exemption. You must identify your lawful basis before you begin processing, document it, and communicate it to data subjects through your privacy notice.

You cannot swap your lawful basis after the fact unless your processing purpose genuinely changes and a fresh assessment confirms a different basis is more appropriate. Even then, you need to document the change and inform both the data subjects and your supervisory authority. The IAPP has noted that controllers must identify their basis by the time data collection occurs, and under Article 13(1)(d), they must also tell data subjects which basis they are relying on at that point.

If your processing involves special category data -- racial or ethnic origin, health data, biometric data, political opinions, and so on -- you need to satisfy an additional condition under Article 9 on top of your Article 6 basis.

The Six Lawful Bases at a Glance

Lawful Basis	GDPR Article	Typical Use Case	Key Requirement
Consent	6(1)(a)	Marketing emails, analytics cookies, newsletter sign-ups	Freely given, specific, informed, unambiguous
Contract	6(1)(b)	Processing an order, delivering a service	Processing must be necessary for the contract
Legal obligation	6(1)(c)	Tax records, employment law, anti-money laundering	Must point to a specific law
Vital interests	6(1)(d)	Medical emergencies, disaster response	Life-or-death situations only
Public task	6(1)(e)	Public authorities, state-mandated functions	Grounded in EU or Member State law
Legitimate interests	6(1)(f)	Fraud prevention, IT security, direct marketing	Requires a documented balancing test

Consent -- Article 6(1)(a)

Consent is the lawful basis most people think of first, and often the one that gets misapplied. Under the GDPR, valid consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes do not count. Bundled consent -- where a user must agree to multiple unrelated processing activities in a single tick -- does not count either.

The data subject must be able to withdraw consent as easily as they gave it. If someone opts in with a single click, they should be able to opt out with a single click too. Your processing must stop once consent is withdrawn, and you cannot penalise someone for withdrawing.

When Consent Is the Right Choice

Consent works well when you are offering something genuinely optional: a newsletter, marketing communications, analytics cookies, or access to a loyalty programme. It gives data subjects real control and, when implemented properly, builds trust.

But consent is fragile. It can be withdrawn at any moment, which means any processing that depends on it can be pulled out from under you. That makes consent a poor choice for activities that are central to your business operations -- you do not want your ability to process payroll or fulfil orders contingent on an individual's revocable permission.

Where Consent Goes Wrong

The French data protection authority CNIL fined Google EUR 150 million in 2022 for making it harder for users to refuse cookies than to accept them. The banner required a single click to accept all cookies but multiple clicks to refuse. That asymmetry meant consent was not freely given.

Cookie consent is one of the most visible applications of this lawful basis for website owners. If your site sets analytics cookies like _ga or advertising cookies like _fbp, you almost certainly need consent under both the GDPR and Article 5(3) of the ePrivacy Directive. A tool like Kukie.io's cookie scanner can identify exactly which cookies your site sets, so you know which ones require consent and which fall under a different legal basis.

Contractual Necessity -- Article 6(1)(b)

This basis applies when processing is genuinely necessary to perform a contract with the data subject, or to take pre-contractual steps at their request. The operative word is "necessary" -- not merely useful, convenient, or commercially advantageous.

If someone places an order on your e-commerce site, you need their delivery address to fulfil that order. That is contractual necessity. If you also want to analyse their browsing behaviour to show them personalised product recommendations, that is not necessary for the contract -- it is a separate purpose that needs a separate lawful basis.

The Meta Case: A Landmark Warning

Meta learned this distinction the hard way. In January 2023, the Irish Data Protection Commission fined Meta EUR 390 million (EUR 210 million for Facebook, EUR 180 million for Instagram) after the EDPB ruled that Meta could not rely on "performance of a contract" as the lawful basis for processing personal data for behavioural advertising.

Meta had argued that when users accepted its Terms of Service, they entered into a contract that included personalised advertising. The EDPB disagreed on three grounds. First, Meta is not contractually obligated to deliver personalised ads to users -- that obligation exists between Meta and its advertisers. Second, contract cannot serve as a valid basis if users do not clearly understand how their data is processed. Third, data subjects have a right under Article 21 of the GDPR to object to processing for direct marketing, which is incompatible with a contractual basis that they cannot opt out of.

The case had massive consequences for the adtech industry. Any platform whose business model depends on personalised advertising now faces serious questions about whether contractual necessity can ever justify that processing.

Legal Obligation -- Article 6(1)(c)

You can process personal data without consent when a specific law requires you to do so. This covers statutory and common-law obligations under EU or Member State law -- but not contractual obligations. The distinction matters.

Common examples include retaining employee payroll records under tax legislation, filing suspicious activity reports under anti-money laundering rules, or maintaining health and safety logs in a workplace. In each case, you should be able to point to the specific legal provision that mandates the processing.

This basis is relatively straightforward to apply. If a law says "you must keep this data for X years," you have your legal basis. The challenge is ensuring you do not extend the processing beyond what the law actually requires. Keeping tax records for seven years because HMRC requires it is one thing. Keeping them for twenty years "just in case" is another -- and likely unjustifiable.

Vital Interests -- Article 6(1)(d)

This is the narrowest of the six bases. Vital interests applies when processing is necessary to protect someone's life. Think medical emergencies: a hospital treating an unconscious patient needs to access their medical records even though the patient cannot consent.

The GDPR is explicit that you should use a different lawful basis whenever possible. Vital interests is genuinely a last resort, not a creative workaround for situations where obtaining consent would be inconvenient. If you are a website owner running an online shop, you will almost certainly never need this basis.

One narrow exception worth noting: Article 9(2)(c) allows vital interests to serve as a condition for processing special category data in life-threatening situations. But this is a lifeline for medical professionals and emergency responders, not for marketers.

Public Task -- Article 6(1)(e)

Public task covers processing that is necessary for performing a task in the public interest or exercising official authority. It is used primarily by public bodies: local councils, government agencies, NHS trusts, public universities, and organisations carrying out functions mandated by law.

Private organisations can rely on public task in limited circumstances -- for instance, a private company operating a utility service under a statutory licence. But the task must be grounded in EU or Member State law. You cannot simply declare your own activities to be "in the public interest" and claim this basis.

If your organisation does use public task, note that data subjects have the right to object under Article 21(1). Unlike the absolute right to object to direct marketing, objections based on public task require a balancing exercise. You can continue processing if you demonstrate compelling legitimate grounds that override the individual's interests.

Legitimate Interests -- Article 6(1)(f)

Legitimate interests is the most flexible of the six bases -- and the most frequently misused. It applies when the processing serves a legitimate interest of the controller or a third party, provided that interest does not override the rights and freedoms of the data subject.

In October 2024, the EDPB published draft Guidelines 1/2024 specifically on this lawful basis, building on a decade-old WP29 Opinion from 2014 and incorporating recent CJEU case law. The guidelines confirm that legitimate interests should be assessed using a strict three-part test.

The Three-Part Legitimate Interests Assessment

Step 1: Identify the interest. The interest must be lawful, clearly and precisely articulated, and real and present -- not speculative or hypothetical. The CJEU has recognised commercial interests as potentially legitimate, including fraud prevention, IT security, and product improvement.

Step 2: Demonstrate necessity. You must show that the processing is strictly necessary to pursue the interest. If you can achieve the same goal by less intrusive means -- or without processing personal data at all -- legitimate interests fails at this step. The EDPB adds the word "strictly" before "necessary," signalling a higher bar than some organisations assume.

Step 3: Conduct a balancing test. Weigh your interest against the data subject's rights and freedoms. The EDPB's 2024 guidelines stress the importance of the data subject's reasonable expectations. If a person would be surprised to learn their data is being processed in this way, the balance is likely to tip against you.

Children's data receives special protection here. The EDPB guidelines note that the interests of minors will "very often" outweigh those of controllers.

Common Legitimate Interest Scenarios

Recital 47 of the GDPR mentions direct marketing as a processing activity that may be regarded as serving a legitimate interest. But the EDPB's 2024 guidelines caution that this does not mean direct marketing automatically qualifies. Each case requires its own assessment, and in many situations -- particularly email marketing or behavioural profiling -- consent may still be the more appropriate basis.

Other commonly cited legitimate interests include network and information security (Recital 49), preventing fraud, and intra-group administrative transfers. If you rely on legitimate interests, the right to data portability under Article 20 does not apply -- but the right to object under Article 21 is absolute when the processing relates to direct marketing.

Document Everything

If you use legitimate interests, you must document your Legitimate Interests Assessment (LIA). This is not optional. When a data protection authority asks how you justify your processing, your LIA is the document they will want to see. The EDPB recommends providing data subjects with information about the specific legitimate interest being pursued, not just a vague reference to "our legitimate business interests."

How to Choose the Right Lawful Basis

There is no universal "best" lawful basis. The right choice depends on your relationship with the data subject, the purpose of processing, and the type of data involved. Here is a practical decision path:

Start by asking whether a law compels you to process the data. If yes, legal obligation is likely your basis. Next, check whether the processing is necessary to deliver a product or service the individual has specifically requested. If so, contractual necessity applies. If neither of those fits, consider whether the processing serves a clear business need that the individual would reasonably expect. If you can pass the three-part test, legitimate interests may work. If none of the above apply -- or if the processing involves profiling, marketing, or optional data collection -- consent is typically the safest route.

Vital interests and public task rarely apply to private-sector websites. If you are unsure whether they apply to you, they probably do not.

One critical rule: you can only assign one lawful basis per processing activity. You cannot hedge by claiming both consent and legitimate interests for the same processing. Pick one, document it, and communicate it clearly in your privacy notice.

What Happens If You Choose Incorrectly

Getting the lawful basis wrong is one of the most expensive mistakes an organisation can make under the GDPR. The regulation treats it as a fundamental compliance failure, not a technicality.

Consider the enforcement landscape in 2024 alone. The Irish DPC fined LinkedIn EUR 310 million in October 2024 for processing users' personal data for behavioural analysis and targeted advertising without a valid legal basis. The Dutch DPA fined Uber EUR 290 million in August 2024 for transferring European drivers' data to the United States without appropriate safeguards. Meta received another EUR 251 million fine in December 2024 for a security breach affecting 29 million users.

These are not isolated cases. The CMS Enforcement Tracker shows that insufficient legal basis has been the single most common reason for GDPR fines across all reporting periods since 2018. The average fine across all countries and all categories stood at roughly EUR 2.36 million as of March 2025.

Beyond the financial penalty, a regulator can order you to stop processing. For a business that depends on personal data -- which, in practice, means almost every online business -- a processing ban can be more damaging than any fine.

Lawful Basis and Cookies on Your Website

For website owners, the lawful basis question intersects directly with cookie consent. The ePrivacy Directive (Article 5(3)) requires consent for storing or accessing information on a user's device unless the cookie is "strictly necessary" for a service the user has explicitly requested.

Strictly necessary cookies -- like PHPSESSID for maintaining a shopping cart or csrf_token for security -- do not need consent. They can be set without a banner, without a pop-up, and without asking permission. Everything else -- analytics cookies (_ga, _gid), advertising cookies (_fbp, fr), and most functional cookies (pll_language) -- requires informed, prior consent.

This means that for the GDPR side, your lawful basis for setting non-essential cookies is almost always consent under Article 6(1)(a). Legitimate interests does not override the ePrivacy Directive's consent requirement, even if you could argue a legitimate interest in understanding your traffic through analytics.

If you are unsure which cookies your site sets, run a free scan with Kukie.io. The scanner identifies every first-party and third-party cookie, categorises them, and flags which ones require consent -- giving you a clear picture of your lawful basis obligations.

The 2024 EDPB Guidelines: What Changed for Legitimate Interests

The EDPB's Guidelines 1/2024, adopted in October 2024 following a CJEU ruling in Case C-621/22 (the Royal Dutch Tennis Association case), provide the most detailed official guidance on legitimate interests since the GDPR took effect. A few points deserve particular attention.

The guidelines clarify that an interest pursued by a controller should relate to its actual activities. A private company whose business is commercial in nature cannot generally claim a legitimate interest in systematically collecting data for law enforcement purposes -- that interest belongs to the authorities, not to the business. The CJEU established this principle in its 20

Europe

United States

Brazil

Canada

Asia-Pacific

Middle East & Africa

Categories

Latest Articles

Cookie Consent Laws by Country: A Beginner's World Map

GDPR for Beginners: What Every Website Owner Must Know About Cookies

What Happens When a User Rejects All Cookies on Your Website

Lawful Basis for Processing: Which of the 6 Legal Grounds Applies to You?