Under the GDPR, processing personal data is prohibited unless it falls under one of the six lawful bases defined in Article 6. Choosing the correct legal basis is foundational: it determines what rights individuals can exercise and what obligations apply to the organization.
Consent and legitimate interests are the most commonly invoked in commercial contexts. Consent must be freely given, specific, informed, and unambiguous, and must be as easy to withdraw as to give. Legitimate interests requires a balancing test demonstrating that processing does not unduly override individual rights. Organizations must document their legal basis for each processing activity in their ROPA and cannot retroactively switch bases when challenged.