Overview
Every processing of personal data requires a legal basis. Without a valid legal basis, the processing is unlawful -- regardless of whether it is technically sensible or economically necessary.
Art. 6 GDPR contains six possible legal bases. For AI systems, the following are particularly relevant:
- Consent
- Performance of a contract
- Legitimate interest
This article explains:
- All six legal bases in detail
- Typical use cases with AI
- Areas of tension (e.g. re-training, change of purpose)
- A comparison table for practical classification
The Six Legal Bases at a Glance
Under Art. 6(1) GDPR, processing is lawful if at least one of the following conditions is met:
| No. | Legal Basis | Typical Context |
|---|---|---|
| a | Consent | Marketing, voluntary data processing |
| b | Performance of a contract | Customer contracts, digital services |
| c | Legal obligation | Tax law, retention obligations |
| d | Protection of vital interests | Emergencies |
| e | Public interest | Public authorities |
| f | Legitimate interest | Internal company analyses, AI optimisation |
Consent (Art. 6(1)(a))
Requirements
- Freely given
- Informed
- Specific
- Revocable
- Unambiguous
Challenges in the AI Context
- Change of purpose during re-training
- Difficult transparency with complex models
- Revocation and model update
Example: A user consents to the use of their data for personalised recommendations. Later, these data are used for general model training.
Question: Is this covered by the original consent purpose?
Revocation Problem
If consent is withdrawn, the question arises as to how training data can be removed from models.
Performance of a Contract (Art. 6(1)(b))
Processing is permissible if it is:
- necessary for the performance of a contract
- or serves the implementation of pre-contractual measures
Example:
- Credit check for a loan agreement
- AI-assisted translation in a SaaS contract
Important: Not every useful data processing is "necessary" within the meaning of the contract.
Legal Obligation (Art. 6(1)(c))
Data processing is permissible when it is necessary to fulfil a legal obligation.
Examples:
- Anti-money laundering
- Retention obligations
Relevant for AI systems in areas such as:
- Fraud detection in the financial sector
Vital Interests (Art. 6(1)(d))
Rare in the AI context, but possible in:
- Medical emergency diagnostics
- Disaster protection systems
Public Interest (Art. 6(1)(e))
Relevant particularly for:
- Public authorities
- Public educational institutions
- Administrative AI
Prerequisite: Clear legal basis.
Legitimate Interest (Art. 6(1)(f))
This is the most common legal basis for AI systems in a corporate context in practice.
Requirements:
- Legitimate interest of the controller
- Necessity of the processing
- Balancing of interests in favour of the controller
Balancing of Interests in Detail
The following must be assessed:
- Nature of the data
- Expectations of the data subjects
- Intensity of the interference
- Protective measures
Documentation Obligation
The balancing of interests must be documented in a comprehensible manner.
Comparison: Consent vs. Legitimate Interest
| Criterion | Consent | Legitimate Interest |
|---|---|---|
| Revocation possible | Yes | No (but objection possible) |
| Documentation effort | High | High |
| Flexibility | Low | Medium |
| Typical for AI | Marketing, personalised services | Optimisation, internal analyses |
Change of Purpose in AI Training
A central problem:
Data is collected for Purpose A -- later used for model training (Purpose B).
The following must be assessed:
- Is Purpose B compatible with Purpose A?
- Does a new processing operation exist?
- Is a new legal basis required?
Typical AI Scenarios
1. Chatbot for Customer Service
Legal basis:
- Performance of a contract or
- Legitimate interest
2. HR Recruiting AI
Legal basis:
- Legitimate interest
- Consent where applicable
3. Marketing Personalisation
Legal basis:
- Consent or
- Legitimate interest (with caution)
Connection to Art. 9 GDPR
When special categories of personal data are involved, Art. 6 alone is not sufficient -- Art. 9 must additionally be assessed.
Practical Implementation
Step 1 -- Define Legal Basis per Processing Operation
Not on a blanket basis, but per purpose.
Step 2 -- Documentation
- Justification
- Balancing of interests
- Consent texts
Step 3 -- Purpose Definition
- Clearly define training purpose
- Define model improvement
- Document change of purpose
Step 4 -- Transparency
- Update privacy notice
- Explain AI usage in an understandable manner
Need help implementing?
Work with Creativate AI Studio to design, validate and implement AI systems — technically sound, compliant and production-ready.
Need legal clarity?
For specific legal questions on the AI Act and GDPR, specialized legal advice focusing on AI regulation, data protection and compliance structures is available.
Independent legal advice. No automated legal information. The platform ai-playbook.eu does not provide legal advice.
Next Steps
- Identify all AI-related data processing operations.
- Assign a specific legal basis to each processing operation.
- Document balancing of interests in a comprehensible manner.
- Assess changes of purpose in model training.
- Update your privacy notice accordingly.
Need help implementing?
Work with Creativate AI Studio to design, validate and implement AI systems — technically sound, compliant and production-ready.
Need legal clarity?
For specific legal questions on the AI Act and GDPR, specialized legal advice focusing on AI regulation, data protection and compliance structures is available.
Independent legal advice. No automated legal information. The platform ai-playbook.eu does not provide legal advice.