Artifact GuideEU GDPR

GDPR lawful basis and consent

Use this page to document the Article 6 basis for each processing purpose, decide when consent is valid, and keep evidence that survives withdrawal, purpose changes, and record-of-processing review.

Covers consent, contract, legal obligation, vital interests, public task, legitimate interests, Article 7 consent conditions, Article 9 special-category distinction, and RoPA evidence.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
5

Structured answer sets in this page tree.

Primary sources
4

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

GDPR lawful-basis work starts before processing begins. For each purpose, record one Article 6 basis, explain why that basis fits the facts, separate consent from other grounds, and add Article 9 analysis when the data is special category data.

Section 1

Article 6 bases to choose from before processing

Article 6 says processing is lawful only if at least one listed basis applies. The six bases are consent, contract, legal obligation, vital interests, public task or official authority, and legitimate interests.

Do not treat consent as the default. The selected basis should match the purpose and facts at collection time, because EDPB consent guidance warns against presenting consent while relying on another basis or retrospectively moving from consent to legitimate interests after consent problems appear.

  • Consent: use only where the person can make a free, specific, informed, and unambiguous choice for one or more specific purposes.
  • Contract: use where processing is necessary for a contract with the data subject or pre-contract steps requested by the data subject.
  • Legal obligation: use where processing is necessary for a controller's legal obligation under applicable Union or Member State law.
  • Vital interests: use where processing is necessary to protect vital interests of the data subject or another natural person.
  • Public task or official authority: use where processing is necessary for a task in the public interest or official authority vested in the controller.
  • Legitimate interests: use where the controller or a third party has a legitimate interest, the processing is necessary for that interest, and the data subject's interests, rights, and freedoms do not override it.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Article 6 lists the lawful bases and requires at least one to apply before processing is lawful.
EDPB Guidelines 05/2020 on consent under Regulation 2016/679
Explains that controllers must decide the applicable lawful basis before collection and cannot swap from consent to another basis after consent is withdrawn or invalid.
Data Protection Commission - Guidance on Legal Bases for Processing Personal Data
Summarizes the Article 6 bases and frames lawful-basis selection as a controller question: why is this personal data being processed?
Section 2

Consent conditions under Article 7

Consent is valid only when the request and the user's action meet GDPR conditions. The controller must be able to demonstrate consent, keep consent requests distinguishable from other matters, use clear and plain language, inform the person about withdrawal before consent is given, and make withdrawal as easy as giving consent.

Consent requests should be granular by purpose. EDPB guidance treats separate opt-ins, clear purpose descriptions, controller identity, data types, withdrawal information, and a clear affirmative action as central to valid consent.

  • Do not use pre-ticked boxes, silence, inactivity, blanket terms acceptance, or merely continuing to use a service as consent.
  • Do not bundle unnecessary processing into contract acceptance or make a service conditional on consent for data that is not necessary for that service.
  • Keep consent information clear enough for the audience, including the controller identity, each purpose, the data types used, and how withdrawal works.
  • When consent is collected in a product interface, preserve the version of the request, screen or flow, information shown, timestamp or session evidence, and the action that signaled agreement.
  • Refresh or re-collect consent when the processing operation changes or evolves so much that the original consent no longer covers it.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Article 7 sets the controller's burden to demonstrate consent and the rules for distinguishable requests, withdrawal, and conditionality.
EDPB Guidelines 05/2020 on consent under Regulation 2016/679
Details the elements of free, specific, informed, and unambiguous consent, including granularity, clear affirmative action, and proof records.
Section 4

Special category data needs a separate Article 9 check

Article 9 is separate from Article 6. If the data reveals or concerns racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data used for unique identification, health, sex life, or sexual orientation, the Article 9 prohibition must also be addressed.

Explicit consent under Article 9(2)(a) is only one possible exception. Do not turn every special-category use into a consent workflow when another Article 9 condition is the actual ground or where Union or Member State law affects whether consent can lift the prohibition.

  • First record the Article 6 basis for the processing purpose.
  • Then record whether Article 9 applies and, if it does, which Article 9(2) condition is relied on.
  • Separate ordinary consent under Article 6(1)(a) from explicit consent under Article 9(2)(a).
  • Do not infer national derogations, healthcare rules, employment rules, or public-interest grounds unless the supporting law is identified in the evidence record.
  • Flag Article 10 separately when criminal convictions or offences data is involved.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Article 9 defines special categories of personal data and lists conditions that can lift the Article 9(1) prohibition.
Data Protection Commission - Records of Processing Activities under Article 30 GDPR
Recommends adding the Article 6 legal basis and Article 9 basis for special-category data as useful RoPA information.
Recommended next step

Build consent, legitimate-interest, and RoPA evidence from the same source-linked record

Sorena can help map each processing purpose to an Article 6 basis, identify consent and Article 9 issues, and keep the evidence needed for notices, withdrawal handling, and RoPA review.

Research workflow
Open Research Copilot for EU GDPR

Ask source-linked questions about Article 6 lawful bases, Article 7 consent, Article 9 special-category data, and evidence records using the cited sources on this page.

Explore next step
Talk to Sorena
Talk through GDPR lawful-basis records

Review your consent flows, legitimate-interest records, special-category analysis, and RoPA fields with Sorena.

Explore next step
Primary sources

References and citations

Regulation (EU) 2016/679 (GDPR)
eur-lex.europa.eu
Referenced sections
  • Article 30 sets records-of-processing requirements and Article 7 requires controllers to demonstrate consent.
"Records of processing activities"
Related guides

Explore more topics

Does the EU GDPR apply outside the EU under Article 3?
A grounded GDPR Article 3 territorial-scope FAQ covering EU establishment, offering goods or services, monitoring behavior in the EU, and Article 27 representatives.
EU GDPR Applicability Test for Products, Vendors, and Data Flows
A concrete GDPR scope test for personal data, controller and processor roles, EU establishment, EU targeting or monitoring, special-category and child data, transfers, vendors, and evidence.
EU GDPR Article 30 RoPA Intake Workflow
Use this GDPR Article 30 RoPA intake workflow to capture controller and processor fields, owners, transfers, retention, security measures, and evidence before a processing activity goes live.
EU GDPR Article 6 Legal Bases FAQ
FAQ on the six Article 6 GDPR lawful bases, consent caveats, legitimate interests, public-task and legal-obligation limits, and Article 9 special-category data.
EU GDPR Automated Decision-Making and Profiling: Article 22 Scope, Safeguards, and Evidence
source-linked GDPR guide for automated decision-making and profiling: Article 22 scope, profiling definition, transparency, lawful basis, DPIA triggers, human review rights, and evidence.
EU GDPR Breach Notification 72 Hours: Article 33 and 34 workflow
Source-grounded EU GDPR breach notification workflow covering awareness, 72-hour supervisory authority notices, processor escalation, high-risk data-subject communication, delay reasons, and evidence logs.
EU GDPR Breach Notification Workflow: 72-hour clock, risk assessment, and records
A concrete EU GDPR breach notification workflow for detecting and triaging incidents, starting the awareness clock, assessing risk, notifying authorities or data subjects, and keeping Article 33 records.
EU GDPR Checklist: scope, lawful basis, DSARs, DPIA, RoPA, transfers
Use this GDPR checklist to review scope, lawful basis, notices, DSAR handling, DPIAs, RoPA, processor contracts, SCC transfers, breach notification, retention, security, and evidence.
EU GDPR Children and Special-Category Data Guide
source-linked GDPR guide for Article 8 children's consent, Article 9 special-category data, DPIA triggers, transparency, safeguards, and evidence records.
EU GDPR Compliance Checklist: scope, rights, DPIA, RoPA, transfers
Practical EU GDPR compliance guide for mapping scope, lawful basis, notices, data-subject rights, DPIAs, RoPA, processor terms, breaches, transfers, retention, security, and penalties.
EU GDPR Controller, Processor, and Joint Controller Roles
source-linked GDPR guide for classifying controllers, processors, and joint controllers, with Article 28 contract checks, Article 26 transparency, and vendor evidence.
EU GDPR Data Subject Rights and DSAR Workflow
source-linked GDPR DSAR workflow for intake, identity checks, request scope, the one-month response clock, extensions, refusals, processor escalation, and evidence.
EU GDPR deadlines and compliance calendar
source-linked GDPR calendar entries for applicability, DSAR response timing, breach notification, DPIA review, prior consultation, transfer reviews, and retention checks.
EU GDPR DPIA and Prior Consultation Workflow
Screen high-risk processing, run a GDPR Article 35 DPIA, record mitigation, and identify when Article 36 prior consultation is required.
EU GDPR DPIA and risk management under Articles 35 and 36
EU GDPR DPIA guide covering Article 35 triggers and contents, CNIL and DPC PIA methods, residual risk, mitigation records, and prior consultation limits.
EU GDPR DSAR Exceptions: refusal, extensions, identity checks
FAQ on when EU GDPR controllers may extend, charge for, narrow, redact, or refuse a data subject access request under Articles 12 and 15.
EU GDPR DSAR Workflow: Intake, Clock, Rights, and Evidence
Run a GDPR DSAR workflow for intake, identity checks, rights scoping, one-month response timing, extensions, refusals, processor handoffs, and evidence records.
EU GDPR FAQ: scope, lawful basis, rights, DPIA, breaches, transfers
Direct EU GDPR FAQ answers on scope, controller and processor roles, lawful basis, data subject rights, DPIAs, breach notification, international transfers, and Article 83 fine tiers.
EU GDPR International Transfers and SCCs: Chapter V evidence guide
source-linked guide to GDPR Chapter V transfers, adequacy decisions, SCCs, transfer impact assessments, supplementary measures, and EU-US DPF checks.
EU GDPR Lawful Basis and LIA Workflow for Article 6(1)(f)
Assess GDPR legitimate interests with a purpose, necessity, balancing, Article 21 objection, and evidence-record workflow grounded in Article 6(1)(f).
EU GDPR Lead Supervisory Authority and One-Stop-Shop
How GDPR main establishment, cross-border processing, Article 56 lead authority competence, and Article 60 cooperation fit together.
EU GDPR LIA Template for Article 6(1)(f)
Use this EU GDPR legitimate interests assessment template to document Article 6(1)(f) purpose, necessity, balancing, safeguards, objection rights, and evidence.
EU GDPR penalties and fines: Article 83 tiers and evidence
EU GDPR penalties and fines guide covering Article 83 fine tiers, assessment factors, Article 58 powers, and evidence records for controllers and processors.
EU GDPR Processor Contracts and Vendor Management | Article 28 Evidence Guide
EU GDPR Article 28 guide for processor contracts, sub-processor controls, controller-processor role boundaries, vendor evidence, and SCC transfer clauses where applicable.
EU GDPR Record of Processing Activities Template: Article 30 RoPA Fields
Build a GDPR Article 30 record of processing activities with separate controller and processor fields for purposes, data categories, recipients, transfers, erasure time limits, and security measures.
EU GDPR Requirements: scope, rights, security, DPIA, RoPA, and transfers
Overview of core EU GDPR requirements covering scope, principles, lawful basis, notices, data-subject rights, processors, RoPA, security, breaches, DPIAs, and international transfers.
EU GDPR Retention and Erasure Schedule
Build an EU GDPR retention and erasure schedule around storage limitation, Article 17 erasure grounds, Article 12 rights handling, Article 19 recipient notices, and Article 30 RoPA fields.
EU GDPR SCC Transfer Impact Assessment FAQ
source-linked FAQ on when SCC transfer impact assessments are needed, what Clause 14 records, and when supplementary safeguards or transfer suspension are required.
EU GDPR Transfer TIA and SCC Workflow
A GDPR workflow for checking adequacy, selecting SCC modules, documenting transfer impact assessments, and recording supplementary measures for third-country transfers.
EU GDPR Transparency Notices: Articles 12, 13 and 14
Source-grounded GDPR guide to privacy notices under Articles 12, 13 and 14: direct collection, third-party data sources, recipients, transfers, retention, rights, and lawful basis.
EU GDPR vs Brazil LGPD: GDPR-led comparison and source gaps
Compare EU GDPR duties with Brazil LGPD only where the available sources support the comparator, with GDPR rows for lawful basis, rights, breach, transfers, roles, and evidence.
EU GDPR vs California CCPA: grounded GDPR comparison limits
Compare GDPR implementation duties with source-limited California CCPA/CPRA context, showing where the available grounding supports a claim and where it does not.
EU GDPR vs ePrivacy Directive: personal data, cookies, consent, and communications
Compare the EU GDPR and ePrivacy Directive for personal data processing, consent and lawful basis, cookies and terminal access, electronic communications, and parallel compliance.
EU GDPR vs UK GDPR: source-limited compliance comparison
Compare EU GDPR obligations with source-limited UK GDPR transfer notes grounded in EU GDPR sources, covering scope, lawful basis, rights, accountability, records, DPIAs, security, and transfers.
GDPR processor vs controller: role boundaries and evidence
Decide whether a party is a GDPR controller, processor, or joint controller using purpose-and-means tests, Article 28 terms, Article 26 arrangements, and Article 30 records.
GDPR vs EU AI Act: privacy controls for AI systems
Compare GDPR privacy duties with the EU AI Act only where the GDPR source pack supports the point: lawful basis, notices, DPIA, ADM, RoPA, rights, and source limits.
GDPR vs EU Data Act: personal data safeguards and source limits
Compare GDPR obligations with the EU Data Act only where the available GDPR grounding supports the fact pattern, with clear safeguards for personal data, rights, transfers, and accountability.
When does the EU GDPR require a DPIA?
Answer the EU GDPR DPIA threshold question with Article 35 triggers, high-risk criteria, supervisory-authority list checks, and DPIA content requirements.
When does the GDPR 72-hour breach notification clock start?
GDPR breach-awareness FAQ covering the Article 33 clock, processor escalation, delayed or phased notifications, risk assessment, and records to keep.