---
title: "EU GDPR Article 6 Legal Bases FAQ"
canonical_url: "https://www.sorena.io/artifacts/eu/general-data-protection-regulation/faq/legal-bases"
source_url: "https://www.sorena.io/artifacts/eu/general-data-protection-regulation/faq/legal-bases"
author: "Sorena AI"
description: "FAQ on the six Article 6 GDPR lawful bases, consent caveats, legitimate interests, public-task and legal-obligation limits, and Article 9 special-category data."
published_at: "2026-05-09"
updated_at: "2026-05-09"
keywords:
  - "EU GDPR"
  - "GDPR"
  - "Article 6"
  - "lawful basis"
  - "consent"
  - "contract"
  - "legal obligation"
  - "vital interests"
  - "public task"
  - "legitimate interests"
  - "Article 9"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# EU GDPR Article 6 Legal Bases FAQ

FAQ on the six Article 6 GDPR lawful bases, consent caveats, legitimate interests, public-task and legal-obligation limits, and Article 9 special-category data.

*FAQ* *EU GDPR*

## GDPR Article 6 Legal Bases

A processing activity needs at least one Article 6 lawful basis before personal data is processed: consent, contract, legal obligation, vital interests, public task, or legitimate interests.

Use this FAQ to document the basis by purpose, avoid overusing consent, test legitimate interests, and separate Article 6 lawfulness from Article 9 special-category conditions.

Under Article 6 GDPR, processing is lawful only if at least one listed lawful basis applies. The basis should be chosen for each processing purpose before collection, explained in notices where required, and reviewed when the purpose, data, role, or affected people change.

## What are the six Article 6 lawful bases?

Article 6(1) GDPR lists six lawful bases: consent for one or more specific purposes; necessity for a contract with the data subject or pre-contract steps requested by the data subject; necessity for a legal obligation that applies to the controller; necessity to protect vital interests; necessity for a public-interest task or official authority vested in the controller; and necessity for legitimate interests pursued by the controller or a third party, unless overridden by the data subject's interests or fundamental rights and freedoms.

Pick the basis for the specific purpose, not for the system as a whole. A product may rely on contract for account delivery, legal obligation for statutory records, consent for optional communications, and legitimate interests for a separate low-risk operational purpose if the balancing test supports it.

- Consent: record the specific purpose and the affirmative consent event.
- Contract: show why the processing is necessary to perform the contract or requested pre-contract step.
- Legal obligation: identify the Union or Member State law that requires the controller to process the data.
- Vital interests: reserve for protection of a natural person's vital interests.
- Public task or official authority: link the processing to the public-interest task or official authority vested in the controller.
- Legitimate interests: document the interest, necessity, and balancing test, including child or rights impacts.

Sources for this answer:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 6 lists the six lawful bases and states that processing is lawful only if at least one applies.
- [Data Protection Commission - Guidance on Legal Bases for Processing Personal Data](https://www.dataprotection.ie/en/dpc-guidance/guidance-legal-bases-processing-personal-data?ref=sorena.io) - Explains that controllers should identify their reason or justification for processing and names the six Article 6 bases.

## When is consent risky as the lawful basis?

Consent must be freely given, specific, informed, and unambiguous, and Article 7 requires the controller to demonstrate consent. It must be as easy to withdraw as to give, and withdrawal does not invalidate processing that was lawful before withdrawal.

Consent is weak where the person has no real choice, the request is bundled into terms, the service is conditional on unnecessary processing, or there is a power imbalance. The EDPB guidance calls out public-authority and employment contexts as situations where consent will often be difficult to rely on because free choice may be limited.

- Do not use consent for data that is actually necessary to perform the requested service; test Article 6(1)(b) instead.
- Do not bundle optional marketing, sharing, or analytics purposes into one all-or-nothing consent.
- Keep enough consent records to show who consented, for what purpose, through which action, and what information was shown.
- Give withdrawal through a practical route that is not harder than the original consent route.
- Do not silently switch withdrawn or invalid consent to legitimate interests after collection.

Sources for this answer:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 7 sets consent demonstration, clear-language, withdrawal, and conditionality requirements.
- [EDPB Guidelines 05/2020 on consent under Regulation 2016/679](https://edpb.europa.eu/our-work-tools/our-documents/guidelines/edpb-guidelines-052020-consent-under-regulation-2016679_en?ref=sorena.io) - Explains free choice, power imbalance, conditionality, granularity, consent records, withdrawal, and limits on switching lawful bases.

## How should legitimate interests be documented?

Article 6(1)(f) is available where processing is necessary for legitimate interests pursued by the controller or a third party, unless those interests are overridden by the data subject's interests or fundamental rights and freedoms. The GDPR text specifically highlights protection of children in this balancing exercise.

A useful legitimate-interest record separates three questions: what legitimate interest is pursued, why the processing is necessary for that interest, and why the data subject's interests, rights, and freedoms do not override it. The record should also identify privacy notice text, objection handling, safeguards, and the review trigger.

- Name the concrete interest, not a generic business preference.
- Explain why less intrusive processing would not achieve the same purpose.
- Assess affected people, reasonable expectations, sensitivity, consequences, and safeguards.
- Do not use Article 6(1)(f) for public authorities processing in the performance of their tasks.
- Reassess the balance when the purpose, data categories, profiling, user group, or safeguards change.

Sources for this answer:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 6(1)(f) sets the legitimate-interests basis and excludes public authorities using it for processing in the performance of their tasks.

## What limits apply to legal obligation and public task?

Article 6(1)(c) covers processing necessary for compliance with a legal obligation to which the controller is subject. Article 6(1)(e) covers processing necessary for a public-interest task or official authority vested in the controller.

Both bases need a grounding legal basis in Union law or Member State law. Article 6(3) says that the purpose must be determined in that legal basis, or for public task must be necessary for the public-interest task or official authority, and that the law must meet an objective of public interest and be proportionate to the legitimate aim pursued.

- For legal obligation, cite the law that applies to the controller and requires the processing.
- For public task, cite the public-interest task or official authority vested in the controller.
- Do not treat internal policy, customer preference, or a contract clause as a GDPR Article 6(1)(c) legal obligation.
- Do not invent Member State details unless the cited source in the record provides them.
- Keep the cited legal basis, purpose, data categories, affected data subjects, recipients, retention logic, and safeguards together in the processing record.

Sources for this answer:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 6(3) requires Article 6(1)(c) and 6(1)(e) processing to be based on Union or Member State law and limits the purpose and proportionality of that basis.

## How does Article 9 special-category data change the answer?

Article 6 lawfulness is not the whole analysis when special-category data is involved. Article 9 separately prohibits processing data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data used to uniquely identify a person, health data, or data about a person's sex life or sexual orientation unless an Article 9(2) condition applies.

That means a controller processing special-category data usually needs both an Article 6 lawful basis and an Article 9 condition. Explicit consent under Article 9(2)(a) is one possible condition, but Article 9 includes other conditions and also notes that Union or Member State law may prevent the prohibition from being lifted by consent for specified cases.

- First identify the Article 6 lawful basis for the processing purpose.
- Then identify the Article 9(2) condition if the data is special-category data.
- Do not describe Article 9 explicit consent as the same thing as ordinary Article 6 consent.
- Flag health, biometric identification, union membership, political, religious, racial or ethnic, genetic, sex-life, and sexual-orientation data before launch.
- Escalate if the asserted Article 9 condition depends on Union or Member State law not present in the source record.

Sources for this answer:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 9 defines special-category data, states the prohibition, and lists conditions that can lift the prohibition.
- [EDPB Guidelines 05/2020 on consent under Regulation 2016/679](https://edpb.europa.eu/our-work-tools/our-documents/guidelines/edpb-guidelines-052020-consent-under-regulation-2016679_en?ref=sorena.io) - Explains that explicit consent is one Article 9 condition and discusses the additional standard for valid consent.

## Primary sources

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Official GDPR text for Article 6 lawful bases, Article 7 consent conditions, and Article 9 special-category processing conditions.
  - Quote: "Lawfulness of processing"
- [Data Protection Commission - Guidance on Legal Bases for Processing Personal Data](https://www.dataprotection.ie/en/dpc-guidance/guidance-legal-bases-processing-personal-data?ref=sorena.io) - Grounds the controller-facing framing that each processing activity needs a reason or justification and identifies the six Article 6 bases.
  - Quote: "consent; contract; legal obligation; vital interests; public task; or legitimate interests"
- [EDPB Guidelines 05/2020 on consent under Regulation 2016/679](https://edpb.europa.eu/our-work-tools/our-documents/guidelines/edpb-guidelines-052020-consent-under-regulation-2016679_en?ref=sorena.io) - Grounds consent caveats on free choice, conditionality, granularity, records, withdrawal, power imbalance, and switching lawful bases.
  - Quote: "Consent in Article 4(11) of the GDPR"

## Topic Guides

- [Does the EU GDPR apply outside the EU under Article 3?](/artifacts/eu/general-data-protection-regulation/faq/territorial-scope.md): A grounded GDPR Article 3 territorial-scope FAQ covering EU establishment, offering goods or services, monitoring behavior in the EU, and Article 27 representatives.
- [EU GDPR Applicability Test for Products, Vendors, and Data Flows](/artifacts/eu/general-data-protection-regulation/applicability-test.md): A concrete GDPR scope test for personal data, controller and processor roles, EU establishment, EU targeting or monitoring, special-category and child data, transfers, vendors, and evidence.
- [EU GDPR Article 30 RoPA Intake Workflow](/artifacts/eu/general-data-protection-regulation/ropa-intake-workflow.md): Use this GDPR Article 30 RoPA intake workflow to capture controller and processor fields, owners, transfers, retention, security measures, and evidence before a processing activity goes live.
- [EU GDPR Automated Decision-Making and Profiling: Article 22 Scope, Safeguards, and Evidence](/artifacts/eu/general-data-protection-regulation/automated-decision-making-and-profiling.md): source-linked GDPR guide for automated decision-making and profiling: Article 22 scope, profiling definition, transparency, lawful basis, DPIA triggers, human review rights, and evidence.
- [EU GDPR Breach Notification 72 Hours: Article 33 and 34 workflow](/artifacts/eu/general-data-protection-regulation/breach-notification-72-hours.md): Source-grounded EU GDPR breach notification workflow covering awareness, 72-hour supervisory authority notices, processor escalation, high-risk data-subject communication, delay reasons, and evidence logs.
- [EU GDPR Breach Notification Workflow: 72-hour clock, risk assessment, and records](/artifacts/eu/general-data-protection-regulation/breach-notification-workflow.md): A concrete EU GDPR breach notification workflow for detecting and triaging incidents, starting the awareness clock, assessing risk, notifying authorities or data subjects, and keeping Article 33 records.
- [EU GDPR Checklist: scope, lawful basis, DSARs, DPIA, RoPA, transfers](/artifacts/eu/general-data-protection-regulation/checklist.md): Use this GDPR checklist to review scope, lawful basis, notices, DSAR handling, DPIAs, RoPA, processor contracts, SCC transfers, breach notification, retention, security, and evidence.
- [EU GDPR Children and Special-Category Data Guide](/artifacts/eu/general-data-protection-regulation/children-and-special-categories.md): source-linked GDPR guide for Article 8 children's consent, Article 9 special-category data, DPIA triggers, transparency, safeguards, and evidence records.
- [EU GDPR Compliance Checklist: scope, rights, DPIA, RoPA, transfers](/artifacts/eu/general-data-protection-regulation/compliance.md): Practical EU GDPR compliance guide for mapping scope, lawful basis, notices, data-subject rights, DPIAs, RoPA, processor terms, breaches, transfers, retention, security, and penalties.
- [EU GDPR Controller, Processor, and Joint Controller Roles](/artifacts/eu/general-data-protection-regulation/controller-processor-and-joint-controller-roles.md): source-linked GDPR guide for classifying controllers, processors, and joint controllers, with Article 28 contract checks, Article 26 transparency, and vendor evidence.
- [EU GDPR Data Subject Rights and DSAR Workflow](/artifacts/eu/general-data-protection-regulation/data-subject-rights-and-dsar-workflow.md): source-linked GDPR DSAR workflow for intake, identity checks, request scope, the one-month response clock, extensions, refusals, processor escalation, and evidence.
- [EU GDPR deadlines and compliance calendar](/artifacts/eu/general-data-protection-regulation/deadlines-and-compliance-calendar.md): source-linked GDPR calendar entries for applicability, DSAR response timing, breach notification, DPIA review, prior consultation, transfer reviews, and retention checks.
- [EU GDPR DPIA and Prior Consultation Workflow](/artifacts/eu/general-data-protection-regulation/dpia-and-prior-consultation-workflow.md): Screen high-risk processing, run a GDPR Article 35 DPIA, record mitigation, and identify when Article 36 prior consultation is required.
- [EU GDPR DPIA and risk management under Articles 35 and 36](/artifacts/eu/general-data-protection-regulation/dpia-and-risk-management.md): EU GDPR DPIA guide covering Article 35 triggers and contents, CNIL and DPC PIA methods, residual risk, mitigation records, and prior consultation limits.
- [EU GDPR DSAR Exceptions: refusal, extensions, identity checks](/artifacts/eu/general-data-protection-regulation/faq/dsar-exceptions.md): FAQ on when EU GDPR controllers may extend, charge for, narrow, redact, or refuse a data subject access request under Articles 12 and 15.
- [EU GDPR DSAR Workflow: Intake, Clock, Rights, and Evidence](/artifacts/eu/general-data-protection-regulation/dsar-workflow.md): Run a GDPR DSAR workflow for intake, identity checks, rights scoping, one-month response timing, extensions, refusals, processor handoffs, and evidence records.
- [EU GDPR FAQ: scope, lawful basis, rights, DPIA, breaches, transfers](/artifacts/eu/general-data-protection-regulation/faq.md): Direct EU GDPR FAQ answers on scope, controller and processor roles, lawful basis, data subject rights, DPIAs, breach notification, international transfers, and Article 83 fine tiers.
- [EU GDPR International Transfers and SCCs: Chapter V evidence guide](/artifacts/eu/general-data-protection-regulation/international-transfers-and-sccs.md): source-linked guide to GDPR Chapter V transfers, adequacy decisions, SCCs, transfer impact assessments, supplementary measures, and EU-US DPF checks.
- [EU GDPR Lawful Basis and Consent Guide](/artifacts/eu/general-data-protection-regulation/lawful-basis-and-consent.md): Focused GDPR guide to Article 6 lawful bases, consent conditions, legitimate interests, special category data, withdrawal, and evidence records.
- [EU GDPR Lawful Basis and LIA Workflow for Article 6(1)(f)](/artifacts/eu/general-data-protection-regulation/lawful-basis-and-lia-workflow.md): Assess GDPR legitimate interests with a purpose, necessity, balancing, Article 21 objection, and evidence-record workflow grounded in Article 6(1)(f).
- [EU GDPR Lead Supervisory Authority and One-Stop-Shop](/artifacts/eu/general-data-protection-regulation/lead-authority-and-one-stop-shop.md): How GDPR main establishment, cross-border processing, Article 56 lead authority competence, and Article 60 cooperation fit together.
- [EU GDPR LIA Template for Article 6(1)(f)](/artifacts/eu/general-data-protection-regulation/lia-template.md): Use this EU GDPR legitimate interests assessment template to document Article 6(1)(f) purpose, necessity, balancing, safeguards, objection rights, and evidence.
- [EU GDPR penalties and fines: Article 83 tiers and evidence](/artifacts/eu/general-data-protection-regulation/penalties-and-fines.md): EU GDPR penalties and fines guide covering Article 83 fine tiers, assessment factors, Article 58 powers, and evidence records for controllers and processors.
- [EU GDPR Processor Contracts and Vendor Management | Article 28 Evidence Guide](/artifacts/eu/general-data-protection-regulation/processor-contracts-and-vendor-management.md): EU GDPR Article 28 guide for processor contracts, sub-processor controls, controller-processor role boundaries, vendor evidence, and SCC transfer clauses where applicable.
- [EU GDPR Record of Processing Activities Template: Article 30 RoPA Fields](/artifacts/eu/general-data-protection-regulation/record-of-processing-activities-template.md): Build a GDPR Article 30 record of processing activities with separate controller and processor fields for purposes, data categories, recipients, transfers, erasure time limits, and security measures.
- [EU GDPR Requirements: scope, rights, security, DPIA, RoPA, and transfers](/artifacts/eu/general-data-protection-regulation/requirements.md): Overview of core EU GDPR requirements covering scope, principles, lawful basis, notices, data-subject rights, processors, RoPA, security, breaches, DPIAs, and international transfers.
- [EU GDPR Retention and Erasure Schedule](/artifacts/eu/general-data-protection-regulation/retention-and-erasure-schedule.md): Build an EU GDPR retention and erasure schedule around storage limitation, Article 17 erasure grounds, Article 12 rights handling, Article 19 recipient notices, and Article 30 RoPA fields.
- [EU GDPR SCC Transfer Impact Assessment FAQ](/artifacts/eu/general-data-protection-regulation/faq/scc-transfer-impact-assessment.md): source-linked FAQ on when SCC transfer impact assessments are needed, what Clause 14 records, and when supplementary safeguards or transfer suspension are required.
- [EU GDPR Transfer TIA and SCC Workflow](/artifacts/eu/general-data-protection-regulation/transfer-tia-and-scc-workflow.md): A GDPR workflow for checking adequacy, selecting SCC modules, documenting transfer impact assessments, and recording supplementary measures for third-country transfers.
- [EU GDPR Transparency Notices: Articles 12, 13 and 14](/artifacts/eu/general-data-protection-regulation/transparency-notices.md): Source-grounded GDPR guide to privacy notices under Articles 12, 13 and 14: direct collection, third-party data sources, recipients, transfers, retention, rights, and lawful basis.
- [EU GDPR vs Brazil LGPD: GDPR-led comparison and source gaps](/artifacts/eu/general-data-protection-regulation/gdpr-vs-lgpd.md): Compare EU GDPR duties with Brazil LGPD only where the available sources support the comparator, with GDPR rows for lawful basis, rights, breach, transfers, roles, and evidence.
- [EU GDPR vs California CCPA: grounded GDPR comparison limits](/artifacts/eu/general-data-protection-regulation/gdpr-vs-ccpa.md): Compare GDPR implementation duties with source-limited California CCPA/CPRA context, showing where the available grounding supports a claim and where it does not.
- [EU GDPR vs ePrivacy Directive: personal data, cookies, consent, and communications](/artifacts/eu/general-data-protection-regulation/gdpr-vs-eprivacy.md): Compare the EU GDPR and ePrivacy Directive for personal data processing, consent and lawful basis, cookies and terminal access, electronic communications, and parallel compliance.
- [EU GDPR vs UK GDPR: source-limited compliance comparison](/artifacts/eu/general-data-protection-regulation/gdpr-vs-uk-gdpr.md): Compare EU GDPR obligations with source-limited UK GDPR transfer notes grounded in EU GDPR sources, covering scope, lawful basis, rights, accountability, records, DPIAs, security, and transfers.
- [GDPR processor vs controller: role boundaries and evidence](/artifacts/eu/general-data-protection-regulation/faq/processor-vs-controller.md): Decide whether a party is a GDPR controller, processor, or joint controller using purpose-and-means tests, Article 28 terms, Article 26 arrangements, and Article 30 records.
- [GDPR vs EU AI Act: privacy controls for AI systems](/artifacts/eu/general-data-protection-regulation/gdpr-vs-ai-act.md): Compare GDPR privacy duties with the EU AI Act only where the GDPR source pack supports the point: lawful basis, notices, DPIA, ADM, RoPA, rights, and source limits.
- [GDPR vs EU Data Act: personal data safeguards and source limits](/artifacts/eu/general-data-protection-regulation/gdpr-vs-data-act.md): Compare GDPR obligations with the EU Data Act only where the available GDPR grounding supports the fact pattern, with clear safeguards for personal data, rights, transfers, and accountability.
- [When does the EU GDPR require a DPIA?](/artifacts/eu/general-data-protection-regulation/faq/dpia-threshold.md): Answer the EU GDPR DPIA threshold question with Article 35 triggers, high-risk criteria, supervisory-authority list checks, and DPIA content requirements.
- [When does the GDPR 72-hour breach notification clock start?](/artifacts/eu/general-data-protection-regulation/faq/breach-awareness-clock.md): GDPR breach-awareness FAQ covering the Article 33 clock, processor escalation, delayed or phased notifications, risk assessment, and records to keep.

*Recommended next step*

*Placement: before sources*

## Map each purpose to its Article 6 basis

Sorena can help convert this GDPR FAQ into cited Article 6 records, consent checks, legitimate-interest assessments, and Article 9 escalation notes.

- [Open Research Copilot for EU GDPR](/solutions/research-copilot.md): Ask source-linked questions about Article 6 bases, consent caveats, legitimate interests, and special-category data.
- [Talk through implementation](/contact.md): Review your GDPR legal-basis map, weak consent paths, and evidence gaps with Sorena.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/eu/general-data-protection-regulation/faq/legal-bases