RGPD

Article 6 GDPR: choosing the right legal basis to secure your processing operations

By the law firm Mirabile Avocat — Digital law, GDPR and regulatory compliance

Contents
Schedule a discussion

Reading time:

16 min

By the law firm Mirabile Avocat — Digital law, GDPR and regulatory compliance

Since the General Data Protection Regulation (GDPR, EU Regulation 2016/679 of 27 April 2016) became applicable on 25 May 2018, one question consistently arises when advising businesses: on what legal basis may I process personal data?

This is precisely the subject of Article 6 of the GDPR, which lays down a simple but often misunderstood rule: every processing of personal data must rest on at least one legal basis. Without a valid legal basis, the processing is unlawful. And the unlawfulness of a processing operation directly exposes the business to administrative fines of up to EUR 20 million or 4% of total worldwide annual turnover.

The CNIL forcefully reiterated this in its decision SAN-2025-001 of 15 May 2025: Article 6(1) of the GDPR provides that processing "shall be lawful only if and to the extent that at least one of the following conditions applies". This requirement is not an administrative formality. It is the very foundation of the lawfulness of your digital activity.

This article guides you through the six legal bases provided for by the GDPR, the conditions governing their application, the most common mistakes, and the concrete consequences of a wrong choice.

What is a legal basis within the meaning of the GDPR, and why does it matter so much?

A legal basis is the legal justification that authorises a business, an association or a public body to collect and process personal data. Without this justification, the processing is prohibited.

Article 6(1) of the GDPR sets out six possible legal bases, and any one of them is sufficient to legitimise a given processing operation. These six grounds are:

  • (a) the consent of the data subject;
  • (b) the performance of a contract to which the data subject is party;
  • (c) compliance with a legal obligation to which the controller is subject;
  • (d) the protection of the vital interests of the data subject or of another person;
  • (e) the performance of a task carried out in the public interest or in the exercise of official authority;
  • (f) the legitimate interests pursued by the controller or by a third party.

The choice of legal basis is not a trivial matter. It determines the rights that individuals have over their data, the obligations incumbent on your business, and the way in which you must inform data subjects. A wrong choice of legal basis—for example, invoking consent where legitimate interest would have been appropriate, or vice versa—itself constitutes a breach of the GDPR.

What are the six legal bases and how do you tell them apart?

Consent: a demanding basis, often misused

Consent is the best-known legal basis, but it is also the one that gives rise to the largest number of breaches. Article 4(11) of the GDPR provides a precise definition, reiterated by the CNIL in its decision SAN-2025-017 of 30 December 2025: it must be a freely given, specific, informed and unambiguous indication of the data subject's wishes.

In practice, this means that:

  • the data subject must take a positive action (an unchecked checkbox, a button to click);
  • consent must be given for a specific purpose and cannot be blanket or vague;
  • the data subject must be informed of what they are consenting to before giving their agreement;
  • they must be able to withdraw their consent at any time, as easily as they gave it.

Consent is appropriate for: newsletters and email campaigns aimed at individuals, the installation of non-essential cookies, electronic direct marketing to persons who do not yet have a contractual relationship with you.

Consent is not appropriate for: processing that is essential to the performance of a contract, processing required by law, situations where the data subject does not genuinely have a choice to refuse (the employer/employee relationship, for example).

Concrete example: An e-commerce business that installs advertising cookies without first obtaining valid consent exposes itself to a direct fine from the CNIL. Decision SAN-2025-004 of 1 September 2025 precisely illustrates this type of breach, where the failure to obtain consent for marketing processing led to a significant fine.

Performance of a contract: the basis for e-commerce businesses and service providers

This legal basis applies where the processing is necessary for the performance of a contract to which the data subject is party, or in order to take pre-contractual steps at the data subject's request.

It covers situations where you need the data in order to deliver the product or service for which the person contacted you. It does not extend beyond what is strictly necessary for that purpose.

This ground is appropriate for: managing orders and deliveries, invoicing, managing the customer account, providing a SaaS service or a consulting service.

This ground is not appropriate for: sending marketing emails, analysing browsing behaviour for commercial purposes, transferring data to third-party partners for advertising purposes.

Legal obligation: the basis for processing required by legislation

Your business is subject to numerous legal obligations that involve the processing of personal data: retention of payslips, tax and social security declarations, retention of connection data for one year pursuant to Article L. 34-1 of the French Postal and Electronic Communications Code, or the keeping of accounting records.

In these cases, it is the law that requires the processing, and not your own choice. This legal basis is therefore robust and does not require the consent of the data subjects. But be careful: the processing must remain strictly limited to what the law requires. You cannot use this basis to go beyond your legal obligations.

Protection of vital interests: an exceptional basis

This legal basis is reserved for situations where the processing is necessary to protect a person's life. It essentially concerns healthcare professionals in the event of a medical emergency, or disaster situations. It is intended to apply only as a last resort, where the data subject is unable to give consent.

For the vast majority of digital and commercial businesses, this legal basis is not relevant.

Public interest: a basis reserved for public and quasi-public bodies

The performance of a task carried out in the public interest or in the exercise of official authority mainly concerns public administrations, public bodies, or entities entrusted by law with a task in the general interest. An order of 16 January 2024 relating to organised cancer screening programmes explicitly stated, in its Article 3, that the personal data processing operations implemented in that framework were carried out for "the performance of a task carried out in the public interest, in accordance with point (e) of Article 6(1) of Regulation (EU) of 27 April 2016".

For private companies, this basis is in principle inapplicable, save in very particular cases.

Legitimate interest: a flexible but framed basis

Legitimate interest is the most complex and most debated legal basis. It allows data to be processed without consent or legal obligation, provided that a three-step test is satisfied:

  1. Existence of a legitimate interest: the interest pursued must be real, present and lawful;
  2. Necessity of the processing: the processing must be essential to achieve that interest, and no other less intrusive means must be available;
  3. Balancing exercise: the interests and fundamental rights of the data subjects must not override the interest of the controller.

The CNIL reiterated this in its decision SAN-2024-021 of 19 December 2024: "in order to rely on the legal basis of legitimate interest, the controller must carry out a proportionality assessment between the interests pursued and the interference with rights". And in its decision SAN-2025-001 of 15 May 2025, the CNIL pointed out that Recital 47 of the GDPR specifies that "the legitimate interests of a controller" may constitute a legal basis, provided that the balancing exercise is correctly carried out.

Legitimate interest is appropriate for: the security of IT systems, fraud prevention, marketing to former customers in respect of similar products, the handling of complaints, certain internal statistical analyses.

Legitimate interest is not appropriate for: large-scale processing that significantly affects individuals' rights, sensitive data, employee monitoring, the sale of data to third parties for advertising purposes.

Comparative table of the six legal bases

Regulation (EU) 2016/679
Legal bases for processing — Article 6 GDPR
Legal basis (Art. 6 GDPR)When to use itSuitable examplesTo avoid
Consent (a)Freely given, specific, informed and unambiguous indication of wishes (opt-in, withdrawable at any time).B2C newsletters & emailing, non-essential cookies, electronic marketing with no contractual relationship.Processing necessary for the contract or required by law; imbalanced relationship (employer/employee).
Performance of the contract (b)Processing necessary for the performance of a contract or for pre-contractual steps.Orders & deliveries, invoicing, customer account management, provision of a SaaS or consulting service.Marketing emails, commercial behavioural analysis, transfer to advertising third parties.
Legal obligation (c)Processing required by legislation; does not require consent.Payslips, tax/social security declarations, retention of connection data (1 year), accounting records.Going beyond what the law strictly requires.
Vital interests (d)Protecting a person's life; exceptional basis, as a last resort.Healthcare professionals in a medical emergency, disaster situations.Routine business use (not relevant).
Task in the public interest (e)Task in the general interest or official authority entrusted by law.Public administrations, public bodies (e.g. organised cancer screening).Private companies: in principle inapplicable.
Legitimate interest (f)Possible without consent after a 3-step test: real interest, necessity, balancing exercise.IT system security, fraud prevention, marketing to former customers, complaint handling.Large-scale/intrusive processing, sensitive data, employee monitoring, data resale.
Source: GDPR, Art. 6 — Provided for information purposes only; does not constitute legal advice.

How do you choose the right legal basis for your business?

What method should you apply in practice?

The choice of legal basis cannot be improvised. It must be conducted purpose by purpose: a single processing operation may serve several purposes, and each must be linked to the most appropriate legal basis.

The recommended approach is as follows:

Step 1 — Identify the purpose of the processing. Why are you collecting this data? To deliver an order, to send a newsletter, to detect fraud?

Step 2 — Review the legal bases in order of relevance. Is there a legal obligation? Is there a contract? If so, these bases generally take precedence over consent or legitimate interest.

Step 3 — Document your choice. Your record of processing activities, which is mandatory under Article 30 of the GDPR, must indicate the legal basis chosen for each processing operation.

Step 4 — Inform the data subjects. Article 13 of the GDPR requires you to state the legal basis in your privacy policy.

Can you change the legal basis along the way?

No, or only with great difficulty. The CNIL and the European data protection authorities have stated that changing the legal basis is in principle prohibited once the processing has been put in place, save on serious legitimate grounds. This rule has a major practical consequence: you must choose the right legal basis from the outset, which justifies a prior legal analysis before launching any new processing operation.

What are the most common mistakes and their consequences?

The "default consent" mistake

Many businesses use consent as a legal basis by reflex, for all their processing operations. This is often a mistake that backfires on them. Invoking consent where another legal basis applies creates an obligation to obtain and retain proof of that consent, and exposes you to difficulties in the event of withdrawal: if the person withdraws their consent for a processing operation that in fact falls under the performance of a contract, you cannot for that reason stop invoicing or delivering.

The "catch-all" legitimate interest mistake

Conversely, some businesses invoke legitimate interest for all the processing operations they wish to put in place without obtaining consent. This legal basis is not a free pass. It presupposes a documented and serious proportionality test. Its use for large-scale or intrusive processing is regularly sanctioned.

Concrete example: In decision SAN-2025-002 of 15 May 2025, the CNIL sanctioned a company that invoked legitimate interest to transfer prospects' data for the purpose of electronic direct marketing. The restricted committee held that this purpose required the consent of the individuals, and not legitimate interest.

The undocumented legal basis

Even if you have chosen the right legal basis, the absence of documentation constitutes a breach of Article 5(2) of the GDPR (the accountability principle). In the event of an inspection, you must be able to justify your choice in writing.

Table of common mistakes and associated risks

GDPR compliance
Common mistakes and associated risks
Common mistakeWhat does it involve?Risk / sanction
"Default consent"Invoking consent by reflex for all processing operations.Obligation to prove consent; in the event of withdrawal, blocking of a processing operation that in fact falls under the contract.
"Catch-all" legitimate interestInvoking legitimate interest without a documented proportionality test.CNIL fine (e.g. decision SAN-2025-002: marketing requiring consent).
The undocumented legal basisRight choice of basis but no written justification.Breach of Art. 5(2) (accountability); impossible to justify in the event of an inspection.
Source: GDPR, Art. 5, 6 and 7 — Provided for information purposes only; does not constitute legal advice.

What practical obligations follow from the choice of legal basis?

The record of processing activities

Article 30 of the GDPR requires every controller to maintain a record of processing activities. This internal document must indicate, for each processing operation: the purposes, the categories of data, the recipients, the retention periods, and the legal basis chosen. This record is the first document requested by the CNIL during an inspection.

The privacy policy and information notices

Articles 13 and 14 of the GDPR require data subjects to be informed, at the time of collection, of the legal basis on which the processing rests. This information must appear in your privacy policy or in your cookie banner, in a clear and accessible manner. A statement along the lines of "we process your data in accordance with our legal obligations and our legitimate interests" is not sufficient: the applicable legal basis must be set out purpose by purpose.

Data subjects' rights, conditioned by the legal basis

The right to object provided for in Article 21 of the GDPR applies only to processing based on legitimate interest or on the public interest. If you have chosen consent as the legal basis, the person cannot "object" to the processing: they withdraw their consent. If you have chosen legal obligation or the performance of a contract, neither objection nor withdrawal of consent applies.

Likewise, the right to erasure (the "right to be forgotten" within the meaning of Article 17 of the GDPR) cannot be exercised for processing based on a legal obligation or on the performance of an ongoing contract.

Practical cases: how to apply these rules to your business?

You run an e-commerce website

Your business involves several processing operations with different legal bases:

  • Processing of orders and deliveries: performance of the contract (Article 6.1.b).
  • Retention of invoices: legal obligation (Article 6.1.c) — the French Commercial Code requires a retention period of 10 years.
  • Sending commercial emails to your customers about products similar to those already purchased: legitimate interest (Article 6.1.f), subject to the right to object and to the rules of Article L. 34-5 of the French Postal and Electronic Communications Code.
  • Sending newsletters to prospects who have never purchased from you: consent (Article 6.1.a) is mandatory.
  • Analytics cookies (audience measurement): in certain cases, they may be exempt from consent under the CNIL's guidelines, subject to compliance with strict conditions. As a general rule, consent is required.

You are developing a SaaS application

The data of your users processed for the provision of the service (login, account management, use of features) falls under the performance of the contract. However, if you wish to analyse your users' behaviour in order to improve your product or for marketing purposes, you will need to identify a separate legal basis, most often legitimate interest or consent depending on the nature and impact of the processing.

You manage a distribution network or a loyalty programme

The management of a loyalty programme involves commercial profiling operations that generally require the consent of customers, unless these operations are strictly necessary for the performance of the loyalty contract. The transfer of data to network partners for joint marketing actions, for its part, requires explicit consent or a robust, documented contractual basis.

What is the role of the law firm Mirabile Avocat in this process?

Compliance with Article 6 of the GDPR is not a one-off exercise. It is ongoing work that requires simultaneous command of personal data law, contract law, commercial law and, in some cases, tax law. The law firm Mirabile Avocat, specialising in digital law and business law, supports businesses, managers of micro-enterprises and SMEs, startups and commercial operators at every stage of their GDPR compliance.

Analysis and mapping of processing operations

Before choosing a legal basis, you must first identify all the processing operations carried out by your organisation. The firm produces a complete mapping of your data processing operations, cross-referencing them with your activity flows, your contracts and your legal obligations, in order to propose a precise and documented legal characterisation.

Drafting and securing compliance documents

The firm drafts or audits your privacy policies, your legal notices, your terms and conditions of use and your terms and conditions of sale, ensuring that the legal bases chosen are correctly stated and consistent with your actual practices.

It also assists with the setting up or revision of your record of processing activities, helping you to document the legal bases, the retention periods and the safeguards provided to data subjects.

Assistance with drafting GDPR data processing agreements

Article 28 of the GDPR requires a data processing agreement to be concluded with any provider that processes data on your behalf (hosting provider, CRM provider, marketing agency, etc.). This agreement governs, among other things, the purposes of the processing and the obligations of the processor. The Mirabile firm drafts and negotiates these agreements to secure your chain of responsibility.

Prevention of disputes and assistance in the event of a CNIL inspection

In the event of a CNIL inspection or a complaint from a data subject, the firm assists the manager in preparing their responses, in producing the compliance supporting documents, and in negotiating with the supervisory authority. The quality of the prior legal documentation is often decisive in limiting sanctions.

Legal strategy in the event of a data processing dispute

Certain disputes relating to a breach of the GDPR may give rise to civil liability actions before the civil courts, pursuant to Article 82 of the GDPR. The firm supports businesses in these proceedings, both as defendant and as claimant, and can advise on the remediation measures that limit the harm.

Key takeaways

Choosing the right legal basis is not an administrative formality. It is a fundamental legal obligation on which the lawfulness of your entire digital and commercial activity depends. A wrong choice can lead to heavy financial penalties, to the obligation to delete data collected over many years, and to significant reputational harm.

The six legal bases of Article 6 of the GDPR address different situations, and their application requires a precise analysis of each processing operation, its purpose and its impact on the rights of data subjects. The CNIL's recent decisions, in particular decisions SAN-2025-001, SAN-2025-002 and SAN-2025-017 published in 2025, show that the authority actively monitors the correct identification and documentation of legal bases, and that it does not hesitate to sanction breaches, even where they result from a mere error of assessment.

Achieving compliance with Article 6 of the GDPR is a legal investment, not a cost. It protects you, protects your customers and secures your commercial development.

The law firm Mirabile Avocat supports entrepreneurs, managers of micro-enterprises and SMEs and creators of digital projects in GDPR compliance, the drafting of their digital contracts and the management of their commercial relationships. For any question relating to your specific situation, we invite you to contact our teams.

Legal sources:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR), Articles 4, 5, 6, 7, 13, 17, 21, 28, 30 — Légifrance
  • French Data Protection Act (loi Informatique et Libertés), Law No. 78-17 of 6 January 1978 on information technology, files and civil liberties (as amended)
  • CNIL decision SAN-2025-017 of 30 December 2025 — Légifrance
  • CNIL decision SAN-2025-004 of 1 September 2025 — Légifrance
  • CNIL decision SAN-2025-002 of 15 May 2025 — Légifrance
  • CNIL decision SAN-2025-001 of 15 May 2025 — Légifrance
  • CNIL decision SAN-2024-021 of 19 December 2024 — Légifrance

To learn more

What does Article 6 of the GDPR provide?

Article 6 of the GDPR lays down a simple rule: every processing of personal data must rest on at least one legal basis. Without a valid legal basis, the processing is unlawful and exposes the business to significant administrative fines.

What are the legal bases under the GDPR?

Article 6 of the GDPR provides for several legal bases: consent, the performance of a contract, compliance with a legal obligation, the protection of vital interests, a task carried out in the public interest, and legitimate interest. Each processing operation must rest on one of them.

What is the risk of having no valid legal basis?

Without a valid legal basis, the processing is unlawful. The unlawfulness directly exposes the business to administrative fines of up to EUR 20 million or 4% of total worldwide annual turnover. The choice of legal basis is therefore decisive.

How do you choose the right legal basis?

The choice depends on the purpose of the processing and the context. Consent suits certain processing operations, the contract suits others, and legitimate interest suits others still. An unsuitable legal basis weakens the processing, hence the importance of a rigorous analysis.

What did the CNIL reiterate in its decision SAN-2025-001?

In its decision SAN-2025-001 of 15 May 2025, the CNIL forcefully reiterated the requirement of Article 6 of the GDPR: every processing operation must rest on a valid legal basis. This decision highlights the consequences of the unlawfulness of a processing operation.

Is consent always the right legal basis?

No. Consent is only one of the possible legal bases and is not always the most appropriate. Depending on the processing, the contract, the legal obligation or legitimate interest may be more suitable. Choosing the right ground is essential to compliance.

Can you change the legal basis during the processing?

Changing the legal basis is delicate and must be justified, because it can affect the information given to individuals and the lawfulness of the processing. It is preferable to determine the appropriate legal basis from the design stage of the processing in order to secure it.

Is a lawyer useful for choosing the legal basis?

A GDPR lawyer helps to characterise the processing operations, to choose the legal basis best suited within the meaning of Article 6, and to document that choice. This support secures the processing and limits exposure to CNIL sanctions.

Still have questions?

Our team is available!

Have a question?

Vos informations restent strictement confidentielles.
Thank you! We will get back to you shortly. If you'd like to speed things up, schedule a time with me directly here:
Schedule a 15-minute call
Oops! Something went wrong while submitting the form.
Homme en costume bleu foncé avec cravate et pochette blanche, bras croisés, regardant vers l'avant.

Ressources

Aller plus loin

00
article(s) affiché(s) sur
00

7 min

Restaurants: rights and obligations of professionals
In restaurants, it is essential to know the rights that protect you as a consumer and the obligations of professionals.

7 min

Cloud Computing for SMEs: Benefits and Legal Risks to Know
In an economic environment that demands ever more agility and efficiency, cloud computing has established itself as an essential solution for SMEs. By providing on-demand access to IT resources, this technology profoundly transforms the way companies manage

7 min

IT project failure: what remedies are available to affected businesses?
An IT project often represents substantial investment for businesses, yet many end in failure.

7 min

Targeted advertising and abuse of a dominant position: what impact does the record fine imposed on Apple have?
Recent legal developments have been marked by a major decision of the French Competition Authority, fining Apple a record EUR 150 million for abuse of a dominant position in the mobile application distribution sector. This ruling, handed down on 28 March 2025, raises s

17 min

What are the franchisor's obligations under a franchise agreement?
The franchise agreement has established itself as one of the most dynamic development models in France, whether in the restaurant, retail, personal services or digital pure-player sectors. For the franchisor, this model makes it possible to replicate a proven concept without bearing alone

9 min

E-commerce disputes: how to effectively prevent and manage conflicts with your customers?
In the world of e-commerce, even the most rigorous businesses can find themselves facing commercial disputes. Delivery delays, damaged products, payment chargebacks or misunderstandings about an item's features — the potential sources of conflict are
Prendre rendez-vous
Book an appointment