The legal basis of data processing is determined by the controller before data collection. The controller can process data on one or more legal bases, but selecting one is essential for the lawfulness of processing under Article 6 GDPR. Before starting to collect personal data, the controller needs to understand why he/she needs those data and the purpose must be declared in the privacy notice. The data subject, in fact, must be informed and aware of the reason for processing. Legal basis are:
1. Consent of the data subject.
2. Performance of a contract (even pre-contractual steps).
3. Compliance with a legal obligation to which the controller is subject.
4. Protect the vital interests of the data subject.
5. Performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
6. Processing is necessary for the purposes of the legitimate interests pursued by the controller.
For example, if you provide a service on the web you can state in the privacy notice that personal data of the customer are collected to provide the service and to comply with a legal obligation (i.e., tax declarations), you can ask also consent to the data subject for receiving newsletter or promotions. If your customer withdraws the consent asking to delete all his/her personal information stored, you can reply that you will remove his/her personal information for processing based on consent (newsletter, marketing), while data processed for the provision of service will be kept to comply with tax rules on bookkeeping. This is why the controller needs to determine the legal basis of each data processing before collecting data.
Here you can find more information on the legal basis and data subjects rights: