Legal basis management¶

Every processing of personal data requires a valid legal basis. Under GDPR Article 6, there are six possible bases. Under CCPA, the framework differs (notice and opt-out rather than opt-in consent for most processing). Dxtra helps you systematically evaluate which legal basis applies to each processing purpose, document your analysis, and implement the appropriate safeguards.

This guide covers the six GDPR legal bases, when to use each, how Dxtra helps you document your choices, and how legal basis selection connects to consent forms and the Transparency Center.

The six GDPR legal bases¶

Consent — Article 6(1)(a)¶

The data subject has given clear, specific, informed, and unambiguous consent to the processing of their personal data for one or more specific purposes.

When to use: When no other legal basis clearly applies, or when the processing is particularly intrusive (e.g. targeted advertising, cross-site tracking, behavioural profiling). Most Targeting/Marketing purposes require consent.

Requirements under GDPR:

• Consent must be freely given — the data subject must have a genuine choice, and refusing consent must not result in negative consequences
• Consent must be specific — tied to a defined processing purpose, not bundled into terms and conditions
• Consent must be informed — the data subject must know what they are consenting to, who processes the data, and for what purpose
• Consent must be unambiguous — demonstrated by a clear affirmative action (no pre-ticked boxes, no silence or inactivity)
• Consent must be withdrawable — data subjects can withdraw at any time, and withdrawal must be as easy as giving consent

In Dxtra: When you assign Consent as the legal basis for a purpose, Dxtra ensures that purpose is presented in consent forms with an opt-in toggle (defaulting to off). The data subject must actively opt in before any processing begins. Consent status is recorded in the processing activity log and visible in the Transparency Center.

Contract performance — Article 6(1)(b)¶

Processing is necessary for the performance of a contract to which the data subject is party, or to take steps at their request prior to entering into a contract.

When to use: For processing that is genuinely necessary to fulfill a contract. For example, an e-commerce store processing a customer's name and shipping address to deliver an order, or processing payment details to complete a transaction.

Limits: This basis only covers processing that is objectively necessary for the contract — not everything that might be useful or convenient. Processing email addresses for order confirmation is necessary; using them for marketing is not.

In Dxtra: Purposes with a Contract legal basis are typically assigned to the Strictly Necessary consent category. They do not require an opt-in toggle — they are always active because the processing is needed to fulfill the contractual obligation.

Legal obligation — Article 6(1)©¶

Processing is necessary to comply with a legal obligation to which the controller is subject.

When to use: When a law requires you to process personal data. For example, retaining financial records for tax compliance, responding to a court order, or reporting certain data to regulatory authorities.

Limits: The legal obligation must be specific and binding — not a general business practice. You must be able to identify the specific law or regulation that requires the processing.

In Dxtra: Purposes with a Legal Obligation basis are documented with the specific regulation that mandates the processing. These purposes typically do not require consent from data subjects.

Vital interests — Article 6(1)(d)¶

Processing is necessary to protect the vital interests of the data subject or of another natural person.

When to use: In life-threatening emergencies where processing personal data is necessary to protect someone's life. This basis is rarely applicable in commercial contexts.

In Dxtra: Available as a legal basis option but unlikely to be used for typical business processing purposes.

Public task — Article 6(1)(e)¶

Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

When to use: Primarily for public authorities and organizations performing tasks in the public interest. Rarely applicable to commercial businesses.

In Dxtra: Available as a legal basis option for organizations that operate in the public sector.

Legitimate interests — Article 6(1)(f)¶

Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

When to use: When you have a genuine business reason to process data, the processing is proportionate, and the data subject would reasonably expect it. Common uses include fraud prevention, network security, direct marketing to existing customers, and analytics for service improvement.

Requirements: You must conduct a Legitimate Interest Assessment (LIA) — a three-part balancing test:

1. Purpose test — Is there a legitimate interest? Is the processing necessary for that interest?
2. Necessity test — Is the processing proportionate? Could you achieve the same goal with less data or less intrusive means?
3. Balancing test — Do the data subject's interests, rights, and freedoms override your legitimate interest? Consider what data subjects would reasonably expect, the impact on them, and whether they can easily object.

In Dxtra: When you assign Legitimate Interests as the legal basis, Dxtra can generate a Legitimate Interest Assessment as part of your assessment suite. Purposes with this basis are typically presented with an opt-out mechanism (rather than opt-in) — processing begins by default, but data subjects can object at any time through the Transparency Center or preference controls.

Choosing the right legal basis¶

Use this decision framework when assigning a legal basis to a processing purpose:

Start with the processing activity. What are you actually doing with the data, and why?

Is it required by law? If yes, use Legal Obligation.

Is it necessary to fulfill a contract with the data subject? If yes, use Contract Performance — but only for processing that is objectively necessary, not merely useful.

Does the data subject expect this processing? If the processing is proportionate, expected, and you have a genuine business need, Legitimate Interests may be appropriate. Document it with a LIA.

Is the processing particularly intrusive? Targeted advertising, behavioural profiling, cross-site tracking, and data sharing with third parties typically require Consent regardless of whether you believe you have a legitimate interest.

When in doubt, use Consent. It provides the strongest legal protection and demonstrates respect for data subject autonomy.

How legal basis appears in Dxtra¶

Dashboard¶

The Purposes page displays three summary cards at the top — Tracked Data (identifiers observed or generated through user behavior), Received Data (identifiers actively entered or provided by the user), and Legal Basis (a breakdown of all six GDPR bases with regulation-specific badge links). Below the cards, processing purposes are grouped by category with their legal basis visible in each purpose detail.

Consent forms¶

Legal basis determines how the purpose is presented in consent forms:

• Consent basis → Opt-in toggle (default off). Data subject must actively agree.
• Legitimate Interest basis → Opt-out toggle (default on). Data subject can object.
• Contract / Legal Obligation / Vital Interests / Public Task → No toggle. Processing is always active.

Transparency Center¶

Data subjects see the legal basis for each processing purpose in the Disclosures section of the Transparency Center. This meets GDPR Article 13/14 requirements to inform data subjects of the legal basis for processing.

Privacy notices¶

The AI-generated privacy notices include legal basis information for each processing purpose. When you regenerate notices after changing a legal basis, the updated information is automatically included.

Assessments¶

Dxtra's AI engine generates assessments that reference your legal basis choices:

• Data Protection Impact Assessment (DPIA) — Required under GDPR Article 35 when processing is likely to result in high risk. References the legal basis for each purpose assessed.
• Legitimate Interest Assessment (LIA) — Generated for purposes that rely on the legitimate interests basis. Documents the three-part balancing test.
• Transfer Impact Assessment (TIA) — For cross-border data transfers, references the legal basis for the transfer.

CCPA and other frameworks¶

While the GDPR framework of six legal bases is the most granular, other privacy laws take different approaches:

CCPA/CPRA (California) — Does not use the consent/legal basis model. Instead, businesses must provide notice at or before the point of collection, and consumers have the right to opt out of the sale or sharing of personal information. Dxtra maps CCPA requirements to the same purpose structure — purposes tagged with "Do Not Sell/Share" requirements trigger the appropriate opt-out controls.

LGPD (Brazil) — Uses ten legal bases, similar to GDPR but with additions like credit protection and health protection. Dxtra maps these to the closest GDPR equivalent.

PDPA (Singapore), APPI (Japan), POPIA (South Africa) — Each has its own consent and legal basis framework. Dxtra's AI engine generates purpose-level documentation that reflects the applicable regulations for your operating regions (configured during onboarding).

Because Dxtra covers 500+ privacy obligations across 140+ countries, the platform handles the mapping between your processing purposes and each jurisdiction's specific requirements.

Documenting legal basis changes¶

If you need to change the legal basis for an existing purpose (e.g. moving from legitimate interest to consent after regulatory guidance changes):

1. Update the legal basis in the purpose configuration
2. Document the reason for the change
3. If moving to a more restrictive basis (e.g. from legitimate interest to consent), consider whether you need to re-collect consent from affected data subjects
4. Use an AI Regeneration to update your privacy notices and assessments with the new legal basis
5. Review the Transparency Center to confirm the updated consent controls appear correctly

Dxtra maintains version history for purposes, so the change and its timestamp are recorded for audit purposes.

Related¶

• Purpose & consent management overview — How consent works in Dxtra
• Configure processing purposes — Setting up purposes in the dashboard
• Run a DPIA — Required assessments for high-risk processing
• Assessments overview — AI-generated assessments including LIAs