A Practical Guide to GDPR Legal Bases Explained
TL;DR — Quick Answer
4 min readGDPR Article 6 provides six legal bases: consent, contract, legal obligation, vital interests, public task, and legitimate interests. Pick the basis that genuinely fits the purpose before processing begins.
This guide explains GDPR Legal Bases Explained in practical terms, with a focus on privacy-first analytics decisions.
Under the GDPR, processing personal data is lawful only if at least one legal basis applies. The six legal bases are listed in GDPR Article 6: consent, contract, legal obligation, vital interests, public task, and legitimate interests.
Choosing a legal basis is not a paperwork exercise. It affects transparency wording, user rights, withdrawal options, objection rights, and whether the processing is defensible at all.
1. Consent
Consent applies when a person freely gives a specific, informed, and unambiguous indication of agreement. It must be as easy to withdraw as it is to give. Pre-ticked boxes, silence, inactivity, and bundled consent do not work.
Use consent when people have a real choice, such as optional marketing emails or non-essential cookies. Do not use consent when the person has no practical alternative, such as an employee being asked to consent to core HR processing.
For cookies and tracking, remember that ePrivacy consent may be required even before GDPR legal basis analysis. If analytics cookies are optional, they generally need prior consent in Europe unless a narrow exemption applies.
2. Contract
Contract applies when processing is necessary to perform a contract with the person or to take requested steps before entering into a contract.
Examples:
- Processing a shipping address to deliver an order.
- Creating an account so a user can access a paid service.
- Processing payment details for a subscription.
It does not cover processing that is merely useful to the business. Behavioral advertising is not necessary to deliver a SaaS account. Product analytics may support the service, but it usually needs a separate analysis.
3. Legal Obligation
Legal obligation applies when EU or member-state law requires the processing. Examples include tax records, employment law obligations, accounting retention, sanctions screening in some contexts, or responding to lawful regulatory requests.
The obligation must come from law, not a contract or internal policy. If a vendor contract says you must collect certain marketing data, that is not a GDPR legal obligation.
4. Vital Interests
Vital interests applies when processing is necessary to protect someone's life. It is narrow and rare in normal business operations.
Examples might include emergency medical information or crisis response. It is usually not relevant to website analytics, marketing, or SaaS onboarding.
5. Public Task
Public task applies when processing is necessary for a task carried out in the public interest or under official authority. It is mainly used by public bodies or private organizations exercising official functions under law.
Most private companies cannot use public task for routine commercial processing.
Flowsery
Start Free Trial
Real-time dashboard
Goal tracking
Cookie-free tracking
6. Legitimate Interests
Legitimate interests can apply when the controller or a third party has a legitimate interest, the processing is necessary for that interest, and the person's rights and freedoms do not override it.
This requires a balancing test. A typical legitimate interests assessment asks:
- What is the legitimate interest?
- Is the processing necessary for that interest?
- What is the impact on individuals?
- What safeguards reduce that impact?
- Can people reasonably expect this processing?
- Can they object easily?
Potential examples include fraud prevention, network security, basic B2B prospecting, or limited first-party analytics in some contexts. But legitimate interests is not a magic phrase for tracking. Cross-site advertising, invasive profiling, sensitive inference, and unexpected data sharing are much harder to justify.
Legal Bases and Individual Rights
The legal basis changes the rights available:
| Legal basis | Practical consequence |
|---|---|
| Consent | User can withdraw consent |
| Contract | Processing must be necessary for the contract |
| Legal obligation | Deletion may be limited by retention laws |
| Vital interests | Narrow emergency use |
| Public task | Objection rights may apply |
| Legitimate interests | User has a right to object |
You must tell people the legal basis in your privacy notice.
Analytics Examples
Cookie-based Google Analytics
A typical GA4 web setup uses cookies to distinguish users and sessions, as Google explains in its GA4 cookie documentation. In Europe, this usually raises ePrivacy consent questions before the analytics cookie is set. GDPR legal basis then depends on the processing design, vendor terms, transfers, and whether advertising features are enabled.
Cookieless aggregate analytics
A cookieless tool that avoids identifiers, IP storage, fingerprinting, advertising reuse, and personal event payloads may reduce or avoid personal-data processing depending on implementation. Even then, the organization should document the purpose, data categories, retention, and vendor role.
Product analytics inside an account
Authenticated product analytics often processes account-level personal data. Contract may cover events necessary to provide the service, while legitimate interests may cover security or product improvement. Sensitive or optional uses may need consent or a different basis.
Common Mistakes
- Choosing consent because it sounds safest, then making the service unusable if consent is refused.
- Using contract for processing that is only useful for marketing.
- Using legitimate interests without a balancing test.
- Forgetting ePrivacy rules for cookies and device storage.
- Changing purposes later without reassessing compatibility.
- Failing to update the privacy notice when tools change.
The right legal basis is the one that honestly fits the processing. If no basis fits, the answer is not creative wording. The answer is to stop or redesign the processing.
Document the Choice
For each processing purpose, record the chosen basis and one sentence explaining why it fits. This is especially important for analytics, marketing, and AI features, where teams often inherit assumptions from old tools. A short record is easier to maintain than a long memo nobody updates.
Legal-Basis Record Checklist
For each analytics purpose, write down the legal basis and why it fits: public website audience measurement, marketing pixels, product telemetry, fraud prevention, account analytics, and support diagnostics may each need a different analysis. Do not reuse one basis for the whole stack.
Also check ePrivacy rules before tags run. Even when GDPR legitimate interests may be arguable for limited analytics, device storage, cookies, pixels, SDKs, or similar access may still require consent unless a narrow exemption applies in the relevant jurisdiction.
Was this article helpful?
Let us know what you think!
Before you go...
Flowsery
Revenue-first analytics for your website
Track every visitor, source, and conversion in real time. Simple, powerful, and fully GDPR compliant.
Real-time dashboard
Goal tracking
Cookie-free tracking
Related Articles
A Practical Guide to tracking consent
Tracking consent under GDPR must be freely given, specific, informed, and easy to withdraw. This guide explains the rules and the common mistakes that make consent invalid.
A Practical Guide to 7 principles of gdpr
The 7 principles of GDPR shape everything from lawful processing to storage limits. This guide explains what each principle means in practice.
A Practical Guide to data processing agreement
A practical guide to the GDPR data processing agreement, including what it covers, which clauses it must contain, and why every SaaS tool and cloud service relationship should be reviewed.