Legal obligation & public interest - extra detail; documenting the basis
For both the legal obligation and bases, Recital 45 says the processing must have a basis in EU or member-state law, which may specify the controller, data types, subjects, recipients, purpose limits and storage periods, and may require the controller to be a public authority. These two bases are especially relevant to the specific processing situations (Chapter 9 / freedom of expression, employment, archiving/research). A major GDPR shift: unlike the Directive, controllers must now state the legal basis in the privacy notice (and describe legitimate interests pursued).
EU/member-state law underpinning these bases can detail the controller, data types, data subjects, recipients, purpose limitations and storage period, and can require the controller to be a public authority. Both bases are central to the Chapter 9 specific processing situations: freedom of expression and information, employment, and archiving/scientific/historical/statistical purposes. Because this depends on national law, scope can vary between member states.
Under the Directive a controller need not document or communicate its lawful basis. Under the GDPR the controller must specify the legal basis in the privacy notice and, for legitimate interests, describe the interests pursued. So the basis must be chosen before processing begins.