What is “legal obligation” as a basis for transactional email?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
GDPR's legal obligation basis (Article 6(1)(c)) covers situations where you're required by law to send a communication. For email senders, this applies in specific and narrow circumstances.
If a regulation requires you to notify customers of a data breach, inform them of a change in terms, or send a statutory notice, that's a legal obligation. You don't need consent for those sends. You're required to make them.
What it doesn't cover: sending order confirmations, password reset emails, or account alerts. Those are better processed under the contract basis (you're performing your service), not legal obligation. The distinction matters because legal obligation carries different requirements and can't be used to justify commercial sends.
In practice, most email marketers will rarely use legal obligation as their lawful basis. It applies to a small slice of sends, primarily regulated industries (financial services, healthcare, insurance) that have statutory notification requirements baked into their operating rules.
When it does apply, document it: which law or regulation requires this communication, what you're legally required to say, and why you can't use a less privacy-invasive approach. The same documentation principles apply here as for any other lawful basis, including what to include in your lawful basis documentation.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.