Can I just use consent for everything?

No. Consent must be freely given, specific, informed, and easily withdrawn. If processing is necessary for a contract or a genuine legitimate interest, consent is often the wrong basis because withdrawing it would break the service. Pick the basis that actually fits.

What is legitimate interests and when does it apply?

Legitimate interests covers processing that is necessary for your or a third party's genuine interest, where that interest is not overridden by the individual's rights. It is flexible but requires a documented three-part balancing test (purpose, necessity, balancing).

Does special-category data change things?

Yes. Health, biometric, racial, political, religious, sexual-orientation and similar data need an Article 6 basis AND a separate Article 9 condition (such as explicit consent or substantial public interest). The tool flags this.

Is this legal advice?

No. It is a structured decision aid based on GDPR Article 6 and ICO guidance to help you reason about the right basis. Confirm with a data protection specialist, especially for special-category data or large-scale processing.

When do I need to choose a lawful basis?

Before you start processing. The basis must be identified and documented up front and explained in your privacy notice. You cannot switch bases later to justify processing you have already done.

GDPR Lawful Basis Selector for AI Processing

Every time you process personal data through an AI system you need a lawful basis under GDPR Article 6 — and you must choose it before you start, document it, and explain it in your privacy notice. Many teams default to “consent” out of habit, which is often the wrong and most fragile choice. This selector walks a decision tree based on your purpose, data type, and relationship to the people involved, and recommends the most appropriate basis with a rationale.

How it works

You answer three questions: the purpose of the processing (delivering a service, improving/training models, marketing, safety, legal compliance, or a public task), the type of data involved (ordinary or special-category), and your relationship to the data subjects (your customer, your employee, or the general public). The tool applies the Article 6 logic — for example, processing necessary to deliver a contracted service points to contract, broad model improvement points to legitimate interests (with a balancing test), and marketing to people you have no other relationship with points to consent. It flags when special-category data triggers an additional Article 9 condition.

Notes and documentation

Pick the basis that genuinely fits the processing, not the one that is easiest to claim. Consent is appropriate when people have a real, revocable choice; contract when the processing is necessary to deliver what they asked for; and legitimate interests when you can pass the three-part balancing test and people would reasonably expect it. Special-category data (health, biometrics, etc.) always needs a second Article 9 condition on top. Record your chosen basis and reasoning in your records of processing before you begin, and treat this tool as a starting point rather than a final legal determination.

GDPR Lawful Basis Selector for AI Processing

GDPR lawful basis selector for AI processing

How it works

Notes and documentation