RGPD
By the law firm Mirabile Avocat — Digital law, GDPR and regulatory compliance
Reading time:
16 min
By the law firm Mirabile Avocat — Digital law, GDPR and regulatory compliance
Since the General Data Protection Regulation (GDPR, EU Regulation 2016/679 of 27 April 2016) became applicable on 25 May 2018, one question consistently arises when advising businesses: on what legal basis may I process personal data?
This is precisely the subject of Article 6 of the GDPR, which lays down a simple but often misunderstood rule: every processing of personal data must rest on at least one legal basis. Without a valid legal basis, the processing is unlawful. And the unlawfulness of a processing operation directly exposes the business to administrative fines of up to EUR 20 million or 4% of total worldwide annual turnover.
The CNIL forcefully reiterated this in its decision SAN-2025-001 of 15 May 2025: Article 6(1) of the GDPR provides that processing "shall be lawful only if and to the extent that at least one of the following conditions applies". This requirement is not an administrative formality. It is the very foundation of the lawfulness of your digital activity.
This article guides you through the six legal bases provided for by the GDPR, the conditions governing their application, the most common mistakes, and the concrete consequences of a wrong choice.
A legal basis is the legal justification that authorises a business, an association or a public body to collect and process personal data. Without this justification, the processing is prohibited.
Article 6(1) of the GDPR sets out six possible legal bases, and any one of them is sufficient to legitimise a given processing operation. These six grounds are:
The choice of legal basis is not a trivial matter. It determines the rights that individuals have over their data, the obligations incumbent on your business, and the way in which you must inform data subjects. A wrong choice of legal basis—for example, invoking consent where legitimate interest would have been appropriate, or vice versa—itself constitutes a breach of the GDPR.
Consent is the best-known legal basis, but it is also the one that gives rise to the largest number of breaches. Article 4(11) of the GDPR provides a precise definition, reiterated by the CNIL in its decision SAN-2025-017 of 30 December 2025: it must be a freely given, specific, informed and unambiguous indication of the data subject's wishes.
In practice, this means that:
Consent is appropriate for: newsletters and email campaigns aimed at individuals, the installation of non-essential cookies, electronic direct marketing to persons who do not yet have a contractual relationship with you.
Consent is not appropriate for: processing that is essential to the performance of a contract, processing required by law, situations where the data subject does not genuinely have a choice to refuse (the employer/employee relationship, for example).
Concrete example: An e-commerce business that installs advertising cookies without first obtaining valid consent exposes itself to a direct fine from the CNIL. Decision SAN-2025-004 of 1 September 2025 precisely illustrates this type of breach, where the failure to obtain consent for marketing processing led to a significant fine.
This legal basis applies where the processing is necessary for the performance of a contract to which the data subject is party, or in order to take pre-contractual steps at the data subject's request.
It covers situations where you need the data in order to deliver the product or service for which the person contacted you. It does not extend beyond what is strictly necessary for that purpose.
This ground is appropriate for: managing orders and deliveries, invoicing, managing the customer account, providing a SaaS service or a consulting service.
This ground is not appropriate for: sending marketing emails, analysing browsing behaviour for commercial purposes, transferring data to third-party partners for advertising purposes.
Your business is subject to numerous legal obligations that involve the processing of personal data: retention of payslips, tax and social security declarations, retention of connection data for one year pursuant to Article L. 34-1 of the French Postal and Electronic Communications Code, or the keeping of accounting records.
In these cases, it is the law that requires the processing, and not your own choice. This legal basis is therefore robust and does not require the consent of the data subjects. But be careful: the processing must remain strictly limited to what the law requires. You cannot use this basis to go beyond your legal obligations.
This legal basis is reserved for situations where the processing is necessary to protect a person's life. It essentially concerns healthcare professionals in the event of a medical emergency, or disaster situations. It is intended to apply only as a last resort, where the data subject is unable to give consent.
For the vast majority of digital and commercial businesses, this legal basis is not relevant.
The performance of a task carried out in the public interest or in the exercise of official authority mainly concerns public administrations, public bodies, or entities entrusted by law with a task in the general interest. An order of 16 January 2024 relating to organised cancer screening programmes explicitly stated, in its Article 3, that the personal data processing operations implemented in that framework were carried out for "the performance of a task carried out in the public interest, in accordance with point (e) of Article 6(1) of Regulation (EU) of 27 April 2016".
For private companies, this basis is in principle inapplicable, save in very particular cases.
Legitimate interest is the most complex and most debated legal basis. It allows data to be processed without consent or legal obligation, provided that a three-step test is satisfied:
The CNIL reiterated this in its decision SAN-2024-021 of 19 December 2024: "in order to rely on the legal basis of legitimate interest, the controller must carry out a proportionality assessment between the interests pursued and the interference with rights". And in its decision SAN-2025-001 of 15 May 2025, the CNIL pointed out that Recital 47 of the GDPR specifies that "the legitimate interests of a controller" may constitute a legal basis, provided that the balancing exercise is correctly carried out.
Legitimate interest is appropriate for: the security of IT systems, fraud prevention, marketing to former customers in respect of similar products, the handling of complaints, certain internal statistical analyses.
Legitimate interest is not appropriate for: large-scale processing that significantly affects individuals' rights, sensitive data, employee monitoring, the sale of data to third parties for advertising purposes.
The choice of legal basis cannot be improvised. It must be conducted purpose by purpose: a single processing operation may serve several purposes, and each must be linked to the most appropriate legal basis.
The recommended approach is as follows:
Step 1 — Identify the purpose of the processing. Why are you collecting this data? To deliver an order, to send a newsletter, to detect fraud?
Step 2 — Review the legal bases in order of relevance. Is there a legal obligation? Is there a contract? If so, these bases generally take precedence over consent or legitimate interest.
Step 3 — Document your choice. Your record of processing activities, which is mandatory under Article 30 of the GDPR, must indicate the legal basis chosen for each processing operation.
Step 4 — Inform the data subjects. Article 13 of the GDPR requires you to state the legal basis in your privacy policy.
No, or only with great difficulty. The CNIL and the European data protection authorities have stated that changing the legal basis is in principle prohibited once the processing has been put in place, save on serious legitimate grounds. This rule has a major practical consequence: you must choose the right legal basis from the outset, which justifies a prior legal analysis before launching any new processing operation.
Many businesses use consent as a legal basis by reflex, for all their processing operations. This is often a mistake that backfires on them. Invoking consent where another legal basis applies creates an obligation to obtain and retain proof of that consent, and exposes you to difficulties in the event of withdrawal: if the person withdraws their consent for a processing operation that in fact falls under the performance of a contract, you cannot for that reason stop invoicing or delivering.
Conversely, some businesses invoke legitimate interest for all the processing operations they wish to put in place without obtaining consent. This legal basis is not a free pass. It presupposes a documented and serious proportionality test. Its use for large-scale or intrusive processing is regularly sanctioned.
Concrete example: In decision SAN-2025-002 of 15 May 2025, the CNIL sanctioned a company that invoked legitimate interest to transfer prospects' data for the purpose of electronic direct marketing. The restricted committee held that this purpose required the consent of the individuals, and not legitimate interest.
Even if you have chosen the right legal basis, the absence of documentation constitutes a breach of Article 5(2) of the GDPR (the accountability principle). In the event of an inspection, you must be able to justify your choice in writing.
Article 30 of the GDPR requires every controller to maintain a record of processing activities. This internal document must indicate, for each processing operation: the purposes, the categories of data, the recipients, the retention periods, and the legal basis chosen. This record is the first document requested by the CNIL during an inspection.
Articles 13 and 14 of the GDPR require data subjects to be informed, at the time of collection, of the legal basis on which the processing rests. This information must appear in your privacy policy or in your cookie banner, in a clear and accessible manner. A statement along the lines of "we process your data in accordance with our legal obligations and our legitimate interests" is not sufficient: the applicable legal basis must be set out purpose by purpose.
The right to object provided for in Article 21 of the GDPR applies only to processing based on legitimate interest or on the public interest. If you have chosen consent as the legal basis, the person cannot "object" to the processing: they withdraw their consent. If you have chosen legal obligation or the performance of a contract, neither objection nor withdrawal of consent applies.
Likewise, the right to erasure (the "right to be forgotten" within the meaning of Article 17 of the GDPR) cannot be exercised for processing based on a legal obligation or on the performance of an ongoing contract.
Your business involves several processing operations with different legal bases:
The data of your users processed for the provision of the service (login, account management, use of features) falls under the performance of the contract. However, if you wish to analyse your users' behaviour in order to improve your product or for marketing purposes, you will need to identify a separate legal basis, most often legitimate interest or consent depending on the nature and impact of the processing.
The management of a loyalty programme involves commercial profiling operations that generally require the consent of customers, unless these operations are strictly necessary for the performance of the loyalty contract. The transfer of data to network partners for joint marketing actions, for its part, requires explicit consent or a robust, documented contractual basis.
Compliance with Article 6 of the GDPR is not a one-off exercise. It is ongoing work that requires simultaneous command of personal data law, contract law, commercial law and, in some cases, tax law. The law firm Mirabile Avocat, specialising in digital law and business law, supports businesses, managers of micro-enterprises and SMEs, startups and commercial operators at every stage of their GDPR compliance.
Before choosing a legal basis, you must first identify all the processing operations carried out by your organisation. The firm produces a complete mapping of your data processing operations, cross-referencing them with your activity flows, your contracts and your legal obligations, in order to propose a precise and documented legal characterisation.
The firm drafts or audits your privacy policies, your legal notices, your terms and conditions of use and your terms and conditions of sale, ensuring that the legal bases chosen are correctly stated and consistent with your actual practices.
It also assists with the setting up or revision of your record of processing activities, helping you to document the legal bases, the retention periods and the safeguards provided to data subjects.
Article 28 of the GDPR requires a data processing agreement to be concluded with any provider that processes data on your behalf (hosting provider, CRM provider, marketing agency, etc.). This agreement governs, among other things, the purposes of the processing and the obligations of the processor. The Mirabile firm drafts and negotiates these agreements to secure your chain of responsibility.
In the event of a CNIL inspection or a complaint from a data subject, the firm assists the manager in preparing their responses, in producing the compliance supporting documents, and in negotiating with the supervisory authority. The quality of the prior legal documentation is often decisive in limiting sanctions.
Certain disputes relating to a breach of the GDPR may give rise to civil liability actions before the civil courts, pursuant to Article 82 of the GDPR. The firm supports businesses in these proceedings, both as defendant and as claimant, and can advise on the remediation measures that limit the harm.
Choosing the right legal basis is not an administrative formality. It is a fundamental legal obligation on which the lawfulness of your entire digital and commercial activity depends. A wrong choice can lead to heavy financial penalties, to the obligation to delete data collected over many years, and to significant reputational harm.
The six legal bases of Article 6 of the GDPR address different situations, and their application requires a precise analysis of each processing operation, its purpose and its impact on the rights of data subjects. The CNIL's recent decisions, in particular decisions SAN-2025-001, SAN-2025-002 and SAN-2025-017 published in 2025, show that the authority actively monitors the correct identification and documentation of legal bases, and that it does not hesitate to sanction breaches, even where they result from a mere error of assessment.
Achieving compliance with Article 6 of the GDPR is a legal investment, not a cost. It protects you, protects your customers and secures your commercial development.
The law firm Mirabile Avocat supports entrepreneurs, managers of micro-enterprises and SMEs and creators of digital projects in GDPR compliance, the drafting of their digital contracts and the management of their commercial relationships. For any question relating to your specific situation, we invite you to contact our teams.
To learn more
Article 6 of the GDPR lays down a simple rule: every processing of personal data must rest on at least one legal basis. Without a valid legal basis, the processing is unlawful and exposes the business to significant administrative fines.
Article 6 of the GDPR provides for several legal bases: consent, the performance of a contract, compliance with a legal obligation, the protection of vital interests, a task carried out in the public interest, and legitimate interest. Each processing operation must rest on one of them.
Without a valid legal basis, the processing is unlawful. The unlawfulness directly exposes the business to administrative fines of up to EUR 20 million or 4% of total worldwide annual turnover. The choice of legal basis is therefore decisive.
The choice depends on the purpose of the processing and the context. Consent suits certain processing operations, the contract suits others, and legitimate interest suits others still. An unsuitable legal basis weakens the processing, hence the importance of a rigorous analysis.
In its decision SAN-2025-001 of 15 May 2025, the CNIL forcefully reiterated the requirement of Article 6 of the GDPR: every processing operation must rest on a valid legal basis. This decision highlights the consequences of the unlawfulness of a processing operation.
No. Consent is only one of the possible legal bases and is not always the most appropriate. Depending on the processing, the contract, the legal obligation or legitimate interest may be more suitable. Choosing the right ground is essential to compliance.
Changing the legal basis is delicate and must be justified, because it can affect the information given to individuals and the lawfulness of the processing. It is preferable to determine the appropriate legal basis from the design stage of the processing in order to secure it.
A GDPR lawyer helps to characterise the processing operations, to choose the legal basis best suited within the meaning of Article 6, and to document that choice. This support secures the processing and limits exposure to CNIL sanctions.
Still have questions?
Our team is available!
Have a question?

Ressources
Aller plus loin