What are the 6 lawful bases under GDPR (Art. 6)?

GDPR Art. 6(1) is the gatekeeper of the entire regulation: without a valid lawful basis processing is unlawful. The business must choose in advance and disclose in the privacy statement. The six bases: (a) Consent — freely given, specific, informed, unambiguous. Must be as easy to withdraw as to give (Art. 7). For cookies + marketing usually this basis. (b) Performance of contract — data needed to perform your contract (e.g. address for delivery). Not "being a customer" — only data strictly necessary. (c) Legal obligation — e.g. tax authority administration (7 years), bank CDD requirements. The obligation must follow from Dutch or EU law. (d) Vital interests — life or death. E.g. ambulance accessing your medical record without consent. Rarely a basis in commerce. (e) Public interest or official authority — for government + public institutions. E.g. employment authority sharing benefit data with other government bodies. (f) Legitimate interest — when a business interest is strong enough to override your rights. Requires a three-step test: purpose, necessity, balancing. E.g. fraud detection. Not available to: government may NOT use legitimate interest (Art. 6(1) last sentence). Special category data (Art. 9): the same 6 + 10 additional exceptions for health/biometric/race/political/religion. Children's data (Dutch UAVG Art. 5): under 16 = parental consent for information-society services. How do you know which basis? The privacy statement must explicitly state which basis applies to which processing. Ask in an access request (Art. 15). Does the business unexpectedly switch basis? Complain to the AP.