What are the six lawful bases under GDPR?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Before you process anyone's personal data under GDPR, you need a legal reason. GDPR defines six valid reasons, called lawful bases. Without one, the processing isn't allowed.
Here are the six, with honest notes on which apply to email marketing:
1. Consent: The person clearly agreed to you processing their data for a specific purpose. For marketing emails, this is the most common basis. It must be freely given, specific, informed, and unambiguous. Pre-checked boxes don't count. Silence doesn't count.
2. Contract: Processing is necessary to perform a contract. For transactional emails (order confirmations, account alerts), this is usually the right basis. Not for newsletters.
3. Legal obligation: You're required by law to process the data. Tax records, fraud prevention. Rarely applies to marketing.
4. Vital interests: Necessary to protect someone's life. Not relevant to commercial email.
5. Public task: For government bodies and public authorities. Not applicable to most senders.
6. Legitimate interests: Your interests in processing outweigh the individual's privacy rights. This is the basis most used for B2B cold email and some customer marketing. It requires a Legitimate Interest Assessment (LIA) to document the balancing test.
You need to choose your lawful basis before you start processing, document it, and tell subscribers which one you're relying on in your privacy notice. You can't switch after the fact. For how the two most common email bases compare, see our guide to consent vs legitimate interest. For documentation requirements, see how to document your lawful basis.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.