Every time your website processes personal data, UK GDPR Article 6 requires that processing to be justified by one of six lawful bases. You must identify the basis before you process, document it, and tell people about it in your privacy notice. Choosing the wrong basis, or failing to choose at all, is not a technicality — it is the failure the ICO treats as the foundation of most enforcement actions.

The six bases

1. Consent — Article 6(1)(a)

The individual has given a clear, specific, informed, and unambiguous indication of agreement to the processing. Consent must be freely given — it cannot be a condition of using your service unless the processing is genuinely necessary for that service.

Typical use: newsletter subscriptions, non-essential cookies, marketing emails to new contacts.
2. Contract — Article 6(1)(b)

Processing is necessary to perform a contract with the individual, or to take steps at their request before entering a contract. This basis covers only the processing genuinely required — not all the things you might want to do with that person's data afterwards.

Typical use: processing a purchase, creating and managing a user account, delivering a service the customer has paid for.
3. Legal obligation — Article 6(1)(c)

Processing is necessary to comply with a UK legal obligation — for example, tax law, employment law, or financial regulation. The obligation must be specific and identifiable.

Typical use: retaining invoices for six years (Companies Act / HMRC requirements), right-to-work checks.
4. Vital interests — Article 6(1)(d)

Processing is necessary to protect someone's life. This is a narrow basis, primarily for emergency health scenarios. It is not available to commercial websites under ordinary circumstances.

Typical use: sharing location data with emergency services.
5. Public task — Article 6(1)(e)

Processing is necessary for a task carried out in the public interest or in the exercise of official authority. This basis applies primarily to public authorities and bodies with statutory functions. It is rarely available to private commercial websites.

Typical use: local councils, NHS, regulatory bodies.
6. Legitimate interests — Article 6(1)(f)

Processing is necessary for the legitimate interests of the controller or a third party, unless those interests are overridden by the interests or fundamental rights of the data subject. This basis requires a three-part test: purpose, necessity, and a balancing exercise. The ICO has a Legitimate Interests Assessment (LIA) template.

Typical use: fraud prevention, security logging, direct marketing to existing customers, network security, anonymised analytics.

Which basis applies to common website activities

Activity Most likely basis Notes
Processing a customer's order Contract The processing is necessary to fulfil what the customer asked for
Sending a newsletter the user signed up to Consent Requires a positive opt-in; pre-ticked boxes are invalid
Sending marketing to an existing customer (postal or email) Legitimate interests The "soft opt-in" rule under PECR applies for email; must pass the LIA and provide an easy opt-out
Google Analytics with cookies Consent (after obtaining it via PECR) Analytics cookies require PECR consent; once obtained, legitimate interests may cover the processing itself, but consent is the cleaner basis end-to-end
Server-side analytics (no cookies, no fingerprinting) Legitimate interests Aggregate traffic data without persistent identifiers is more likely to pass the LIA balancing test
Security / access logging Legitimate interests Fraud prevention and system security are well-established legitimate interests in ICO guidance
Retargeting / advertising pixels Consent These create cross-site profiles; consent is the only realistic basis given the privacy impact
Contact form submissions Legitimate interests or contract Responding to an enquiry; the individual initiated contact. Legitimate interests (or pre-contractual steps) are appropriate.

Legitimate interests: the three-part test

If you rely on legitimate interests, the ICO expects you to have carried out a Legitimate Interests Assessment before processing. The three parts are:

  1. Purpose test — is there a genuine, legitimate interest? It must be real, not speculative, and not contrary to law.
  2. Necessity test — is the processing necessary to achieve that purpose? Could a less intrusive method work equally well?
  3. Balancing test — do the individual's interests, rights, and freedoms override the legitimate interest? You need to consider the nature of the data, the likely expectations of the individual, and the harm that could arise.

If you cannot document that you have carried out this test, you should not be relying on legitimate interests.

You cannot switch bases retroactively. If you decide to send a marketing email and choose consent as your basis, then later discover you did not obtain valid consent, you cannot switch to legitimate interests as a fallback. The basis must be identified and documented before processing begins.

Consent is not always the right choice

Consent is widely misused as a default. It is the most demanding basis to maintain: it must be freely given, which means it cannot be bundled with other consents or made a condition of service access; specific, meaning each purpose needs separate consent; informed, meaning people need to understand what they are agreeing to; and unambiguous, which rules out pre-ticked boxes and implied consent from scrolling or continued use.

Consent also gives individuals the right to withdraw at any time, which creates an ongoing operational obligation. If contract or legitimate interests genuinely applies to your processing, using that basis is more stable and no less lawful.

Does your site process data on a valid basis?

GDPR Radar checks whether your privacy policy states a lawful basis, whether your analytics fires before consent, and whether your consent mechanism meets the Article 6(1)(a) standard.

Check whether your site processes data lawfully →