3.3 The Six Lawful Bases (Art. 6) & Consent (Art. 7)
Key Takeaways
- Article 6 lists six lawful bases — consent, contract, legal obligation, vital interests, public task, and legitimate interests; all are equal, with no single basis inherently superior
- Valid consent (Art. 4(11) and Art. 7) must be freely given, specific, informed, and unambiguous by clear affirmative action, and as easy to withdraw as to give
- Legitimate interests (Art. 6(1)(f)) requires a documented three-part Legitimate Interests Assessment — purpose, necessity, and balancing tests; it is unavailable to public authorities performing their tasks
- For information-society services offered to children, parental consent is required for those under 16 (Art. 8), though Member States may lower this to no less than 13
You Always Need a Lawful Basis
Quick Answer: Under Article 6, every processing activity needs at least one of six lawful bases: consent, contract, legal obligation, vital interests, public task, or legitimate interests. The bases are equal — the exam rewards choosing the most appropriate basis and recognising why a tempting basis (often consent) is the wrong fit.
You must identify the lawful basis before processing begins and record it (an accountability requirement). Switching bases mid-stream is generally not permitted — you cannot, for example, fall back on legitimate interests when withdrawn consent leaves you exposed. That is why the initial choice carries so much weight in exam scenarios. A second trap: for special category data you need both an Article 6 basis and an Article 9 condition. The two-key requirement is a favourite distractor — a fact pattern that satisfies Article 6 but ignores Article 9 is still unlawful for health, biometric, or political data.
The Six Lawful Bases (Art. 6(1))
| Basis | Article | Best fit when... | Watch out for |
|---|---|---|---|
| Consent | 6(1)(a) | The individual has a genuine, free choice | Power imbalance (employer/employee) undermines it |
| Contract | 6(1)(b) | Processing is necessary to perform a contract with the subject (or pre-contract steps at their request) | Only covers what is necessary, not all related activity |
| Legal obligation | 6(1)(c) | EU or Member State law compels the processing | Must be a real legal duty, not a business preference |
| Vital interests | 6(1)(d) | Needed to protect someone's life | Narrow; usually only where consent is impossible |
| Public task | 6(1)(e) | A task in the public interest or exercise of official authority | For public authorities; bars their use of legitimate interests for official tasks |
| Legitimate interests | 6(1)(f) | A genuine interest not overridden by the subject's rights | Requires a documented balancing test; unavailable to public authorities in their tasks |
A worked example: an online retailer uses contract (6(1)(b)) to process a delivery address, legal obligation (6(1)(c)) to keep tax invoices, and legitimate interests (6(1)(f)) for fraud screening — three different bases for three activities in one transaction. It should not lean on consent for the delivery address, because shipping is necessary to perform the contract and consent would be unnecessary (and could be withdrawn, breaking the order).
Valid Consent (Art. 4(11) and Art. 7)
Consent sets a high bar. It must be:
- Freely given — no detriment for refusal; bundled or "take it or leave it" consent is invalid, especially where there is a power imbalance or where consent is made a condition of a service that does not need the data (Art. 7(4)).
- Specific — granular, per purpose; no blanket consent covering unrelated activities.
- Informed — the subject knows the controller's identity, the purposes, and the right to withdraw.
- Unambiguous — given by a clear affirmative action. Pre-ticked boxes, silence, and inactivity are not valid consent (confirmed by CJEU Planet49, which also held that consent must be specific to the cookies set).
Additional Article 7 conditions: the controller must demonstrate consent was given; the request must be clearly distinguishable from other matters, intelligible, and in plain language; and consent must be as easy to withdraw as to give, with no penalty and prospective effect only. For special category data, consent must be explicit (Art. 9(2)(a)) — a heightened standard often satisfied by an express written or double opt-in statement rather than a mere tick. Withdrawal does not retroactively invalidate processing already carried out, but it must stop future processing that relied on consent.
Legitimate Interests, the LIA, and Children (Art. 8)
Legitimate interests (Art. 6(1)(f)) is the most flexible basis but demands a documented Legitimate Interests Assessment (LIA) with three parts:
- Purpose test — Is there a genuine, lawful interest (fraud prevention, network/information security, intra-group transfers, direct marketing)?
- Necessity test — Is the processing necessary to achieve it, with no less intrusive alternative?
- Balancing test — Do the individual's interests, rights, and freedoms override the interest, given their reasonable expectations and any safeguards?
Key limits: legitimate interests is not available to public authorities in performing their tasks (they use public task instead), and the right to object (Art. 21) always applies. Recital 47 notes direct marketing may be a legitimate interest, but ePrivacy rules and the objection right still bind.
Children (Art. 8): where consent is the basis for an information-society service offered directly to a child, processing is lawful only if the child is at least 16, or with authorisation from the holder of parental responsibility below that age. Member States may lower the threshold to no less than 13 — Germany, France, and the Netherlands keep 16; Ireland and Spain use 13. The controller must make reasonable efforts to verify parental authorisation using available technology.
Article 8 applies to consent-based ISS only — it does not gate processing under contract or legitimate interests, though Recital 38 still calls for specific protection of children's data generally.
A quick decision drill for the exam: when a scenario hands you a tempting consent answer, run the freely-given / power-imbalance check first, then ask whether a better-fitting basis exists (contract for service delivery, legal obligation for tax or AML records, legitimate interests for security). If the data is special category, confirm a matching Article 9(2) condition. And if a child is involved in a consent-based online service, the age threshold and parental authorisation are almost always the trapped fact.
An employer wants to rely on employee consent to install GPS trackers in company cars. An advisor warns this basis is risky. What is the strongest reason consent is a poor lawful basis here?
A social app aimed at the general public in Germany relies on consent to process personal data and offers its service as an information-society service. A 14-year-old signs up. Absent a German derogation lowering the age, what does Article 8 require?