What are the six lawful bases under GDPR?

GDPR Article 6 establishes six lawful bases for processing personal data. Consent: the data subject has given clear, informed agreement to processing for specific purposes. Contract: processing is necessary to fulfill a contract with the data subject or to take pre-contractual steps at their request. Legal obligation: processing is necessary to comply with a legal requirement. Vital interests: processing is necessary to protect someone's life. Public task: processing is necessary to perform an official function or task in the public interest. Legitimate interests: processing is necessary for your or a third party's legitimate interests, unless overridden by the data subject's rights.

For email marketing, the most relevant bases are typically consent and legitimate interests. Consent is the clearest basis for marketing emails. The usubscriber explicitly agreed to receive communications. Legitimate interests may apply for marketing to existing customers (who have a reasonable expectation of relevant communications) but requires a balancing test. Contract applies to transactional emails directly related to service delivery. Legal obligation might cover required communications like regulatory notices. Vital interests and public task rarely apply to commercial email marketing.

You must identify your lawful basis before processing begins and document your choice. Different bases have different requirements: consent must be freely given and withdrawable; legitimate interests requires a documented balancing test; contract limits you to processing necessary for the contract's performance. Your lawful basis affects subscriber rights-some rights (like objection) have broader application when relying on legitimate interests than consent. Every piece of personal data you process needs a lawful basis-knowing which one applies is fundamental to GDPR compliance.