Blogs
Why GDPR Article 6 Exists: The Legal Basis Behind Privacy Reviews
Last updated: April 23, 2026
Privacy reviews ask for a legal basis because describing what a product does is not the same as proving that the processing is lawful.
GDPR Article 6 exists to answer one question: under what condition is processing personal data allowed at all? The article sets out six lawful bases, and the point is not that one of them looks better in a policy. The point is that the product facts must actually fit one of them.
Official text: GDPR Article 6 on EUR-Lex
Why the law needed this structure
Without a lawful-basis test, a privacy policy could describe data processing in vague, friendly language and still avoid the real question. Article 6 forces the conversation back to the processing itself.
That matters because different features create different legal facts. A subscription checkout, an analytics SDK, an account recovery flow, and an anti-fraud check are not the same kind of processing. They may all be useful. They are not all justified the same way.
The six bases are not interchangeable
| Basis | What it is really for | Common mistake |
|---|---|---|
| Consent | The user actually has a real choice | Using it as a default answer |
| Contract | The data is needed to perform the service | Applying it to optional tracking |
| Legal obligation | A law requires the processing | Using it when a business policy would do |
| Vital interests | Rare emergency protection | Treating normal operations as emergencies |
| Public interest / official authority | Public tasks and authority-based processing | Copying it into private products |
| Legitimate interests | A real interest balanced against user rights | Skipping the balancing test |
What this means in practice
If your app uses analytics, the legal basis question is not "do we have a privacy policy?" It is "what is the lawful basis for this exact processing, and does the policy reflect it honestly?"
That is why Article 6 matters in reviews. It gives the reviewer a way to check whether the explanation in the policy is anchored in facts rather than vibes.
The cleanest rule is this: describe the processing first, pick the lawful basis second, and write the policy third. If you do it in the opposite order, the document will drift away from the product.
Use PolicyPilot to trace each processing flow back to a lawful basis.
Open Generator