13 Under the GDPR, controllers must have a legal basis in order to process personal data. Article 6 (1) of the GDPR constitutes an exhaustive and restrictive list of six legal bases for processing of personal data under the GDPR. It is up to the controller to define the appropriate legal basis and ensure that all conditions for this legal basis are met. Determining which basis is valid and most appropriate in a specific situation depends on the circumstances under which the processing takes place, including the purpose of the processing and relationship between the controller and the data subject.