GDPR Lawful Basis for Processing Explained: A Developer Guide

Every piece of personal data your application processes requires a valid legal foundation under GDPR. This foundation is called the “lawful basis for processing,” and selecting the correct one is not optional—it’s a fundamental requirement that affects every subsequent data handling decision. This guide breaks down all six lawful bases with practical implementation patterns for developers building privacy-conscious applications.

Understanding the Six Lawful Bases

GDPR Article 6(1) establishes six possible lawful bases for processing personal data. Your choice determines what rights data subjects have, how you must document your decision, and what happens when someone withdraws consent.

The six bases are:

1. Consent — The individual gave explicit permission
2. Contract — Processing is necessary to fulfill a contract
3. Legal obligation — Processing is required by law
4. Vital interests — Processing protects someone’s life
5. Public task — Processing is necessary for public authority functions
6. Legitimate interest — Your organization’s interests override individual rights

Each basis suits different scenarios. Choosing incorrectly can result in regulatory fines and force you to delete legitimately collected data.

Consent: The Most Common Basis for Consumer Apps

Consent applies when you need explicit permission from users to process their data. It’s the basis most consumer-facing applications use for marketing emails, analytics tracking, and personalized features.

Valid consent under GDPR must be:

• Freely given — Users must have a genuine choice
• Specific — Each purpose needs separate consent
• ** informed** — Users understand what they’re agreeing to
• Unambiguous — Clear affirmative action required

Implementing Consent in Code

Store consent with granular purpose tracking:

// consent schema for database storage
const consentRecord = {
  userId: "usr_123abc",
  consents: {
    marketing_emails: {
      granted: true,
      timestamp: "2026-03-15T10:30:00Z",
      ipAddress: "192.168.1.1",
      purpose: "Send promotional emails about products",
      withdrawalMethod: "email unsubscribe link"
    },
    analytics: {
      granted: true,
      timestamp: "2026-03-15T10:30:00Z",
      ipAddress: "192.168.1.1",
      purpose: "Aggregate usage analytics for product improvement",
      withdrawalMethod: "account settings"
    }
  },
  version: "2.0", // consent policy version
  proof: "checkbox_checked_on_registration_form"
};

Always provide withdrawal mechanisms. When a user revokes consent, your system must stop processing and typically delete the related data:

function handleConsentWithdrawal(userId, purpose) {
  // Update consent record
  db.users.update(
    { _id: userId },
    { 
      $set: { 
        [`consents.${purpose}.granted`]: false,
        [`consents.${purpose}.withdrawnAt`]: new Date().toISOString()
      } 
    }
  );
  
  // Trigger data deletion for that purpose
  if (purpose === 'marketing_emails') {
    deleteUserMarketingData(userId);
    unsubscribeFromEmailService(userId);
  }
}

Contract: Processing Required for Service Delivery

Use this basis when processing is essential to provide your core service. The key test: without this processing, you literally cannot deliver what the user contracted for.

Typical use cases include:

• Processing payment to complete a purchase
• Shipping a product to a provided address
• Hosting files as part of a cloud storage service

Contract Implementation Pattern

Document which processing operations fall under “contract necessity”:

# Define contract-necessary processing in your application
CONTRACT_NECESSARY_PROCESSING = {
    'ecommerce': [
        'process_payment',
        'fulfill_shipping',
        'generate_invoice',
        'handle_returns'
    ],
    'saas_platform': [
        'authenticate_user',
        'provision_workspace',
        'store_user_files',
        'generate_usage_reports'
    ]
}

def is_processing_necessary_for_contract(service_type, operation):
    """Check if operation is necessary for contract fulfillment."""
    return operation in CONTRACT_NECESSARY_PROCESSING.get(service_type, [])

Legal Obligation: When Law Requires Processing

Some processing is mandatory under other laws. When GDPR applies alongside other regulations (like tax law, anti-money laundering, or healthcare privacy rules), you can rely on legal obligation as your basis.

This basis differs from others: you cannot offer users a choice, and withdrawal requests generally don’t apply since you’re fulfilling a legal requirement.

// Document legal obligations in your processing records
const legalObligation = {
  regulation: "GDPR Article 6(1)(c)",
  applicableLaw: "Tax Registration and Reporting Act",
  requiredProcessing: [
    "retain_invoice_records_7_years",
    "report_transaction_data_to_tax_authority",
    "verify_customer_identity_for_aml"
  ],
  authority: "National Tax Administration",
  retentionPeriod: "7 years from transaction date"
};

Vital Interests: Emergency Situations Only

This basis applies only when processing is necessary to protect someone’s life. It’s rarely used in typical application development but applies to:

• Medical emergency systems
• Disaster response applications
• Safety monitoring for at-risk individuals

Document these cases thoroughly since the threshold is high.

Legitimate Interest: The Flexible but Complex Basis

Legitimate interest requires balancing your organization’s interests against individual privacy rights. It’s the most flexible basis but demands comprehensive documentation through a Legitimate Interest Assessment (LIA).

The three-part test from the ICO:

1. Identify a legitimate interest — What is your purpose?
2. Is processing necessary? — Can you achieve the same result without personal data?
3. Balance against individual rights — Does your interest outweigh their privacy?

class LegitimateInterestAssessment {
  constructor(purpose, processingType) {
    this.purpose = purpose;
    this.processingType = processingType;
    this.legitimateInterest = null;
    this.necessity = null;
    this.balanceResult = null;
  }

  assess() {
    this.legitimateInterest = this.validateInterest();
    this.necessary = this.checkNecessity();
    this.balanceResult = this.balanceAgainstRights();
    
    return {
      isValid: this.legitimateInterest && this.necessary && this.balanceResult,
      documentation: this.generateDocumentation()
    };
  }

  validateInterest() {
    const recognizedInterests = [
      'fraud_prevention',
      'network_security',
      'direct_marketing',
      'product_improvement'
    ];
    return recognizedInterests.includes(this.purpose);
  }
}

Choosing the Right Basis: Practical Decision Framework

Use this decision logic when selecting a lawful basis:

def select_lawful_basis(use_case, user_context, processing_type):
    """
    Select appropriate GDPR lawful basis based on context.
    """
    # Check if processing is legally required
    if is_legally_required(processing_type):
        return {'basis': 'legal_obligation', 'requires_documentation': True}
    
    # Check if processing is necessary for contract
    if use_case == 'contract_fulfillment' and is_essential_for_contract(processing_type):
        return {'basis': 'contract', 'requires_documentation': False}
    
    # Check vital interests (rare)
    if use_case == 'emergency' and protects_life(processing_type):
        return {'basis': 'vital_interests', 'requires_documentation': True}
    
    # Default to consent or legitimate interest for most cases
    if has_user_consent(user_context, processing_type):
        return {'basis': 'consent', 'requires_documentation': True}
    
    if can_demonstrate_legitimate_interest(processing_type):
        return {'basis': 'legitimate_interest', 'requires_documentation': True}
    
    # No valid basis found - do not process
    return {'basis': None, 'error': 'No lawful basis available'}

What Happens When Lawful Basis Changes

Under GDPR, you cannot retroactively change your lawful basis to circumvent requirements. If you initially collected data under consent but later want to rely on legitimate interest, you must:

1. Notify the data subject of the new basis
2. Ensure the new basis was valid at collection time
3. Document the change and reasoning

Summary: Key Takeaways for Developers

Document your basis choice—regulators will ask what basis you used and you must be able to answer. Implement consent properly by storing proof, enabling withdrawal, and handling withdrawal promptly. Use the contract basis only for genuinely essential features; stretching it beyond scope invites scrutiny. Legitimate interest requires the most documentation, so treat it with care. Revisit your records as the application evolves, because lawful basis decisions are not one-time choices.

Related Reading

• Privacy Tools Guides Hub

Built by theluckystrike — More at zovo.one