Necessity & the contract, legal obligation and vital interests bases
Every Article 6 basis except consent requires the processing to be necessary. 'Necessary' has an objective meaning - a close and substantial connection between processing and purpose; merely convenient is not enough. The contract basis (6(1)(b)) needs processing unavoidable to complete the contract. The legal obligation basis (6(1)(c)) needs an obligation in EU/member-state law - not a contractual one, and not a third-country law (Recital 45). Vital interests (6(1)(d)) covers life-or-death emergencies only and should be a basis of last resort.
The remaining five bases all hinge on necessity, an objective standard. It is not enough for a controller to simply consider processing necessary - there must be a close and substantial connection to the purpose, and processing that is merely convenient fails.
| Basis (Article 6(1)) | Scope | Key limit / gotcha |
|---|---|---|
| (b) Contract | Necessary to perform a contract with the subject, or pre-contractual steps at their request | Interpreted narrowly - processing must be unavoidable to complete the contract |
| (c) Legal obligation | Necessary to comply with a legal obligation (e.g. tax, social security) | Must be EU/member-state law; not a contract; not third-country law (Recital 45) |
| (d) Vital interests | Necessary to protect the life of the subject or another person | Life-or-death emergencies only; use only where another basis is not manifestly available (Recital 46) |
Recital 46: reliance on the vital interests of another person should in principle take place only where the processing cannot be manifestly based on another legal basis. Example: treating an unconscious patient.