How to Determine the GDPR Legal Basis in 2026

The legal basis is the legal foundation that authorizes an organization to process personal data. Since the GDPR came into effect, every processing operation must rely on one of the six legal bases defined in Article 6. Choosing the right basis is not merely an administrative task: it is a responsible act that determines the lawfulness of the processing, individuals’ rights, and the company’s obligations. An incorrect qualification can result in fines, loss of customer trust, and expensive corrective measures. This tutorial walks you through the steps to identify, document, and justify the most suitable legal basis for your situation.

• Understand the definition of personal data
• Have identified the data processing activities within your organization
• Maintain an up-to-date register of processing activities

The GDPR provides six legal bases. Each applies to a specific context:

1. Consent: the individual has given free, specific, informed, and unambiguous agreement.
2. Contractual necessity: processing is necessary to perform a contract.
3. Legal obligation: processing is required by law or regulation.
4. Vital interests: protection of a person’s life.
5. Public task: processing is necessary for a task carried out in the public interest.
6. Legitimate interests: the company’s interests outweigh the rights of individuals.

Follow this structured approach:

1. Describe the processing precisely: purpose, data involved, recipients.
2. Assess necessity: is the processing strictly necessary?
3. Evaluate individuals’ expectations: what is their relationship with the organization?
4. Document the choice: record the legal basis and justification in the processing register.

A company wants to send a commercial newsletter to existing customers. Two scenarios apply:

• Existing customers: legitimate interest may be used, provided easy unsubscribe options are available and a balancing test has been performed.
• Prospects: consent is generally required since no prior contractual relationship exists.

• Always document the reasoning behind the chosen legal basis
• Clearly inform data subjects of the selected basis
• Periodically reassess the relevance of the chosen basis
• Define an alternative legal basis when feasible
• Train business teams on this analysis from the project design phase

• Defaulting to consent when another basis is more appropriate
• Failing to distinguish different purposes within the same processing
• Not updating the register when the context changes
• Confusing legitimate interest with commercial interest without prior analysis

Deepen your GDPR compliance skills with certified training from Learni: https://learni-group.com/formations. You will find dedicated modules on legal basis analysis and drafting processing registers.