GDPR Article 6(1) gives you exactly six lawful bases: (a) consent, (b) contract, (c) legal obligation, (d) vital interests, (e) public task, and (f) legitimate interests. You must pick at least one before processing begins and record it. For B2B SaaS, three do almost all the work: contract for delivering the product (provisioning, billing, support), legitimate interests for security, first-party analytics, and cold B2B outreach, and consent for optional marketing and non-essential cookies.
Key takeaways
- Article 6(1)(b) contract does not stretch to everything in your ToS. Per EDPB Guidelines 2/2019, it cannot cover behavioural advertising, service improvement, or fraud prevention just because they are named in your terms — those need a different basis.
- Legitimate interests (Art.6(1)(f)) is not blanket permission. It requires a documented three-part LIA — purpose, necessity, and balancing — and it gives the individual an absolute right to object to direct marketing (Art.21(2)).
- Cookies and third-party trackers need consent under ePrivacy first, independent of whichever Article 6 basis you rely on for the resulting personal data.
- You cannot swap bases after the fact. The basis must be fixed before processing, recorded in your Article 30 RoPA, and disclosed in your Article 13/14 privacy notice.
- A lawful-basis breach sits in the top fine tier: up to €20 million or 4% of total worldwide annual turnover, whichever is higher (Art.83(5)).
What is a lawful basis under GDPR Article 6?
A lawful basis is the legal justification for processing personal data. Article 6(1) of the GDPR makes it a threshold requirement: processing is lawful only if at least one of the six bases applies. There is no seventh option and no “we needed the data” catch-all. If you cannot point to a specific sub-paragraph of Article 6(1), the processing is unlawful — regardless of how carefully you secure the data afterwards.
Three obligations follow from that. First, you must identify the basis before processing starts, not reverse-engineer it after a complaint. Second, you must record which basis applies to each processing activity in your Article 30 Records of Processing Activities (RoPA). Third, you must tell data subjects which basis you rely on in your privacy notice under Articles 13 and 14. For US-first teams entering the EU, this is the single most common gap we see in a GDPR readiness assessment: strong security controls, but no documented, activity-level mapping of lawful bases.
A quick jurisdiction note. This article addresses EU GDPR. The UK operates a near-identical UK GDPR enforced by the ICO, whose guidance we cite because it is clear and freely published — but for EU processing the governing authorities are the European Data Protection Board (EDPB) and national supervisory authorities (CNIL, the Irish DPC, Germany's DPAs, and others). Where marketing is concerned, national implementing laws also apply (for example the UK's PECR, or Germany's UWG). And note for context: US privacy laws such as the CCPA/CPRA have no lawful-basis concept — the Article 6 model is specific to the GDPR.
The six lawful bases at a glance
All six are equal under the law — none is “better” than another — but they are not interchangeable, and each carries a different rights profile and administrative burden. The table maps each Article 6(1) sub-paragraph to a plain-English test and the most common B2B SaaS fit.
| Art. 6(1) | Basis | Plain-English test | Typical B2B SaaS use | Withdraw / object? |
|---|---|---|---|---|
| (a) | Consent | The person opted in | Marketing emails, non-essential cookies, optional features | Withdraw anytime (Art.7(3)) |
| (b) | Contract | Necessary to deliver what the customer asked for | Account provisioning, billing, core support | No object right; can end the contract |
| (c) | Legal obligation | A law requires you to process | Tax/AML record-keeping, lawful data requests | No object/erasure right |
| (d) | Vital interests | Life-or-death necessity | Rare in SaaS (emergency medical scenarios) | N/A |
| (e) | Public task | Official authority / public interest | Rare; public-sector vendors only | Object right applies |
| (f) | Legitimate interests | Necessary interest, not overridden by the person's rights | Security monitoring, first-party analytics, cold B2B outreach | Right to object (Art.21); absolute for marketing |
(a) Consent — Articles 4(11) and 7
Consent under Article 7 must meet the Article 4(11) definition: “freely given, specific, informed and unambiguous” and expressed through “a clear affirmative action.” Pre-ticked boxes, silence, and bundled acceptance do not qualify. It must be as easy to withdraw as to give (Art.7(3)), and — critically — consent is not valid where the processing is a precondition of a service that does not actually require it. That last point is why consent is the wrong basis for core service delivery: you should not condition access to your product on marketing opt-in.
(b) Contract — Article 6(1)(b) and its limits
Contract covers processing that is objectively necessary to perform a contract with the data subject, or to take pre-contractual steps at their request. The trap is over-reading “necessary.” The EDPB's Guidelines 2/2019 on Article 6(1)(b) make clear that necessity is judged against what the service genuinely requires — not what you wrote into the terms. Behavioural advertising, generic “service improvement,” and fraud prevention generally cannot ride on contract; they need a separate basis, usually legitimate interests. When you engage a processor to carry out contract-based processing, the basis and its limits must flow down through your Article 28 data processing agreement.
(c) Legal obligation, (d) vital interests, (e) public task
These three rarely anchor SaaS processing. Legal obligation (c) fits statutory duties — keeping invoices for tax law, responding to a valid law-enforcement request — but not commercial choices dressed up as obligations. Vital interests (d) is limited to protecting someone's life and is realistically confined to emergency or health scenarios. Public task (e) applies to bodies exercising official authority, so it is relevant only to public-sector or gov-tech vendors. Most B2B SaaS teams will use (c) narrowly for compliance record-keeping and never touch (d) or (e).
(f) Legitimate interests — Article 6(1)(f) and Recital 47
Legitimate interests is the most flexible basis and the most misused. Article 6(1)(f) permits processing “necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject … in particular where the data subject is a child.” That final clause is the built-in balancing test — the reason an LIA is mandatory. Recital 47 confirms that direct marketing “may be regarded as carried out for a legitimate interest” and ties legitimacy to the reasonable expectations of the data subject. Recital 48 adds that intra-group transmission for internal administrative purposes may be a legitimate interest — but it is not a standalone basis and does not switch off the balancing test, so group companies still cannot freely share personal data.
Legitimate interest vs consent — the decision B2B SaaS teams get wrong
The most common error is defaulting to consent because it “feels safer.” It often is not: consent that can be withdrawn at any moment is fragile for processing you actually need, and invalid consent (bundled, coerced, or a precondition of service) is worse than no consent. Legitimate interest is frequently the more honest and more robust basis — provided you do the assessment. Use the matrix to choose deliberately rather than by habit.
| Dimension | Consent — Art.6(1)(a) | Legitimate interest — Art.6(1)(f) |
|---|---|---|
| Who controls the processing | The individual (opt-in) | The controller (subject to a right to object) |
| Ease of withdrawal | Must be as easy to withdraw as to give (Art.7(3)) | Individual may object; you must stop unless you show overriding grounds |
| Admin burden | Capture, timestamp, version, and evidence each consent | Document a three-part LIA and keep it current |
| Best-fit scenarios | Optional marketing, non-essential cookies, features the user chooses | Security, fraud monitoring, first-party analytics, cold B2B outreach |
| Risk if challenged | Consent found invalid → no basis at all | Balancing test found to fail → processing unlawful |
The rule of thumb: if the processing is something a reasonable business customer would expect and is not a preference the user should get to switch off, legitimate interest is usually the right home. If it is genuinely optional and unexpected, use consent — and evidence it properly.
How to run a Legitimate Interests Assessment (LIA)
Before you rely on Article 6(1)(f), you must complete and document a three-part test. The framing below follows the ICO's legitimate-interests guidance (UK), which mirrors the analysis in the former Article 29 Working Party's Opinion 06/2014 that remains a reference for EU controllers. Keep the completed LIA on file; if a supervisory authority asks, the assessment is your defence.
| Test step | Question to answer | Worked answer | Documentation output |
|---|---|---|---|
| 1. Purpose test | Is there a genuine, legitimate interest? | Yes — promoting a relevant B2B product to decision-makers whose role suggests likely interest is a recognised commercial interest (Recital 47). | Named interest + who benefits |
| 2. Necessity test | Is the processing necessary and proportionate? | Yes — a targeted, role-relevant email to a work address is a proportionate way to reach a business buyer; no less intrusive method achieves the same reach. | Why no lighter-touch option |
| 3. Balancing test | Do the individual's rights and expectations override it? | Not if the contact is relevant, the source is disclosed, volume is modest, and a one-click opt-out is offered. It would fail for irrelevant, high-volume, or personal-address targeting. | Safeguards + go/no-go outcome |
Two caveats on that example. The LIA settles the Article 6 question only — the electronic-marketing rules under ePrivacy/PECR are a separate layer, covered next. And where processing is large-scale, high-risk, or involves systematic monitoring, the same activity may also trigger a Data Protection Impact Assessment under Article 35, which goes further than an LIA.
Mapping common B2B SaaS processing activities to the right basis
This is the table to bookmark. It maps the processing activities almost every SaaS company runs to a defensible basis, names the kind of tool involved, and flags the watch-outs — including where a choice flips to consent.
| Processing activity | Recommended basis | Why | Watch-outs |
|---|---|---|---|
| Account provisioning & authentication | Contract — 6(1)(b) | Necessary to deliver the service the customer signed up for | Only the data the service genuinely needs |
| Billing & invoicing (e.g. Stripe) | Contract — 6(1)(b); legal obligation — 6(1)(c) for retention | Payment is core to the contract; tax law mandates record retention | Split live billing (contract) from statutory retention (legal obligation) |
| First-party product analytics (e.g. self-hosted PostHog) | Legitimate interest — 6(1)(f) | Improving and securing your own service is an expected interest | If it uses non-essential cookies/trackers, ePrivacy consent is needed first |
| Third-party analytics & marketing pixels | Consent — 6(1)(a) | Tracking via third parties is not necessary to deliver the service | ePrivacy consent required before the tracker fires |
| Security & fraud monitoring | Legitimate interest — 6(1)(f) | Protecting the platform and users is a recognised interest (Recital 49) | Cannot ride on contract per EDPB Guidelines 2/2019 |
| Cold outbound marketing | Legitimate interest — 6(1)(f) | Role-relevant B2B outreach can be a legitimate interest | ePrivacy/PECR marketing layer applies on top — see below |
| Newsletter to existing customers | Soft opt-in / consent | Existing-customer marketing of similar products can use the soft opt-in | Only similar products; opt-out at collection and in every message |
| Support tickets (e.g. Intercom) | Contract — 6(1)(b) | Handling support is part of delivering the service | Legitimate interest if the requester is not the contracting party |
| HR / employee data | Contract, legal obligation, and legitimate interest | Employment contract, payroll/tax law, and workforce administration | Consent is rarely valid for staff (imbalance of power) |
Where ePrivacy and PECR change the answer (cold outreach and cookies)
This is the part most US SaaS founders get wrong, because Article 6 is only half the picture. Under the ePrivacy Directive 2002/58/EC (Art.5(3)) and its national implementations (such as the UK's PECR), two things sit on top of — and independent of — your Article 6 basis:
| Activity | ePrivacy consent first? | GDPR Art.6 basis for the data | Net requirement |
|---|---|---|---|
| Non-essential cookies / third-party trackers | Yes | Consent — 6(1)(a) | Opt-in consent before the tracker loads |
| Cold email to a corporate subscriber (company/LLP) | Generally exempt from opt-in | Legitimate interest — 6(1)(f) | LIA + transparency + opt-out; no ePrivacy opt-in needed |
| Cold email to an individual / sole trader | Consent usually required | Legitimate interest — 6(1)(f) | Opt-in unless a soft opt-in applies |
| Marketing to existing customers (similar products) | Soft opt-in available | Legitimate interest / consent | Opt-out at collection and in every message |
The corporate-subscriber point matters. The ePrivacy/PECR electronic-marketing consent rules do not bite on corporate subscribers (limited companies, LLPs) the same way they do on individuals and sole traders. So a role-relevant cold email to [email protected] can often proceed on legitimate interest without ePrivacy opt-in, while emailing a named individual's personal-style address may require consent. This is national-law-specific — Germany's UWG, for instance, is stricter — so confirm per market. The soft opt-in lets you market similar products to existing customers without fresh consent, provided you gave an opt-out when you collected the address and include one in every message.
Two currency points a 2026 guide must cover. The EDPB Opinion 08/2024 on “consent or pay” (17 April 2024) tightened when consent is genuinely “freely given” for large online platforms offering a pay-or-consent choice — relevant if you gate features behind tracking. And the practical mechanics of consent remain an audit item: capture the timestamp, the exact wording shown, and the version, so you can evidence valid consent later. If you are still weighing whether GDPR reaches your US operation at all, start with GDPR for US SaaS companies.
Special-category and healthtech data — you need Article 6 and Article 9
If you process special-category data — health, biometric, racial or ethnic origin, and the other categories in Article 9 — an Article 6 basis is not enough on its own. You need both an Article 6 lawful basis and a separate Article 9(2) condition (for example explicit consent, or provision of health care under 9(2)(h)). Healthtech SaaS handling patient data hits this constantly: contract may cover the Article 6 leg, but you must still name the Article 9(2) condition alongside it. Teams that also fall under US health rules should read this together with our HIPAA compliance guidance, since the two regimes overlap but do not map one-to-one.
How your lawful basis changes which rights users get
The basis you choose is not just paperwork — it determines which data-subject rights are triggered. This surprises teams who assume every right applies to every processing activity.
| Right | Applies when the basis is… | Note |
|---|---|---|
| Portability — Art.20 | Consent or contract only, and processing is automated | Covers only data the person provided, not data you derived or inferred |
| Erasure — Art.17 | Strong under consent and legitimate interest; limited under legal obligation | Withdrawing consent generally triggers erasure |
| Object — Art.21 | Legitimate interest and public task; absolute for direct marketing (21(2)) | No object right against contract or legal obligation |
The portability caveat is the one to get exactly right: Article 20 applies only to consent- or contract-based processing carried out by automated means, and only to data the subject provided — not to analytics you inferred or scores you generated. Stating “portability always applies” is a common and quotable error.
Documenting and defending your basis
Choosing a basis is worthless if you cannot show it. Three artefacts turn a defensible choice into an auditable one. First, the Article 30 RoPA must log the lawful basis for every processing activity. Second, the Article 13/14 privacy notice must disclose the basis (and, for legitimate interests, the interest itself) to data subjects. Third, for legitimate-interest processing, the completed LIA sits behind the RoPA entry as your evidence.
Then there is the “you can't swap bases” rule. Regulators are consistent that you determine the basis before processing and should not switch later without good reason — moving away from consent is treated with particular suspicion, because it looks like retrofitting a justification after opt-ins failed. If circumstances genuinely change, you generally must re-inform data subjects. For a CPA firm running an audit, this is exactly the sort of control we test: is there a current RoPA, does each entry name a basis, and is there an LIA on file where the basis is legitimate interest?
Enforcement reality — the fine tier and the Meta cases
Getting the lawful basis wrong is a top-tier infringement. Under Article 83(5), breaches of the basic principles for processing — including having a valid lawful basis under Article 6 — can attract fines of up to €20 million or 4% of total worldwide annual turnover, whichever is higher. Cumulative GDPR fines across the EEA have run into the billions of euros since 2018, and lawful-basis failures feature prominently among the largest.
The Meta cases are the cautionary example, and the dates matter. Following EDPB Binding Decisions 3/2022 and 4/2022, the Irish DPC announced final decisions on 4 January 2023 fining Meta a combined €390 million (€210M for Facebook, €180M for Instagram) — for wrongly relying on the contract basis (Art.6(1)(b)) for behavioural advertising. Separately, the CJEU's judgment in C-252/21 (Meta v Bundeskartellamt), 4 July 2023, confirmed that behavioural advertising could not readily be justified on contract or on legitimate interest. That fed into an EDPB urgent binding decision of 27 October 2023 (implemented by the Irish DPA in its 10 November 2023 final decision) effectively banning the use of contract and legitimate interest for behavioural advertising by Meta across the EEA. The lesson for SaaS: neither contract nor legitimate interest is a catch-all, and regulators will unwind a mislabelled basis after the fact.
Common mistakes B2B SaaS teams make
The first mistake is reaching for consent where contract fits. Conditioning core service delivery on consent produces invalid consent and fragile processing; use contract for what the service genuinely needs. The second is treating legitimate interest as blanket permission — relying on 6(1)(f) with no LIA on file means you have no defence when challenged. The third is forgetting the ePrivacy layer: a valid Article 6 basis does not exempt you from cookie or electronic-marketing consent rules. The fourth is over-reading contract necessity to cover analytics, advertising, or product improvement, contrary to EDPB Guidelines 2/2019. And the fifth is documentation drift — a RoPA that was accurate at launch but no longer reflects the tools and flows you actually run. Each of these is exactly what surfaces in a GDPR readiness assessment, and each is inexpensive to fix before an enterprise buyer's legal team finds it.
Frequently asked questions
What are the six lawful bases for processing under GDPR?
GDPR Article 6(1) sets six lawful bases: (a) consent, (b) contract, (c) legal obligation, (d) vital interests, (e) public task, and (f) legitimate interests. A controller must identify at least one before processing begins. For B2B SaaS, contract, legitimate interests, and consent cover almost every use case.
Which GDPR lawful basis should a B2B SaaS company use?
Most core B2B SaaS processing relies on Article 6(1)(b) contract (provisioning, billing, support), Article 6(1)(f) legitimate interests (security monitoring, first-party product analytics, cold B2B outreach), and Article 6(1)(a) consent (optional marketing and non-essential cookies). Consent is required where the processing is not necessary to deliver the service the customer asked for.
What is the difference between legitimate interest and consent under GDPR?
Consent (Art.6(1)(a)) requires a freely given, specific, informed opt-in and can be withdrawn at any time. Legitimate interest (Art.6(1)(f)) needs no opt-in but requires a documented three-part LIA and gives individuals a right to object. Consent gives the user control; legitimate interest puts the accountability burden on the controller, who must be able to show the balancing test.
What is a Legitimate Interests Assessment (LIA)?
An LIA is the documented three-part test you must complete before relying on Article 6(1)(f): the purpose test (is there a genuine legitimate interest?), the necessity test (is the processing necessary and proportionate?), and the balancing test (do the individual's rights and reasonable expectations override your interest?). All three must be recorded and kept current.
Can you change your GDPR lawful basis later?
As a rule, no. Regulators say you must determine the lawful basis before processing and should not swap it retrospectively without good reason, especially switching away from consent. Record the basis in your Article 30 records and disclose it in your privacy notice; changing it mid-processing generally means re-informing data subjects.
What lawful basis applies to B2B cold outreach emails under GDPR?
Cold B2B outreach usually relies on legitimate interest (Art.6(1)(f)) for the underlying data, permitted only where the message is relevant to the recipient's role, you disclose your data source, and you offer a clear opt-out. Separately, the ePrivacy/PECR electronic-marketing rules apply: corporate subscribers are treated more permissively than individuals, so check both layers before you send.
Sources & further reading
- European Union — GDPR Article 6: Lawfulness of processing (mirror of Regulation (EU) 2016/679); see also Article 9, Article 30, and Article 83.
- EDPB — Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) in the context of online services.
- ICO (UK) — How do we apply legitimate interests in practice? (three-part LIA), and Article 29 Working Party Opinion 06/2014 on legitimate interests.
- ePrivacy Directive — Directive 2002/58/EC, Article 5(3) (cookies and electronic marketing).
Not sure your lawful bases would survive a buyer's legal review?
Auditsuisse is a US & Swiss licensed CPA firm. We help US-first SaaS and healthtech teams document a defensible basis for every processing activity, complete the LIAs, and get RoPA and privacy notices audit-ready — see our GDPR audit services or book a call.
Request Consultation