GDPR

Chapter 2

Article 6

Compliance Guide

GDPR Article 6

Lawfulness of processing

  • Processing shall be lawful only if and to the extent that at least one of the following applies:

    • (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

    • (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

    • (c) processing is necessary for compliance with a legal obligation to which the controller is subject;

    • (d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

    • (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

    • (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
      Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.

  • Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation with regard to processing for compliance with points (c) and (e) of paragraph 1 by determining more precisely specific requirements for the processing and other measures to ensure lawful and fair processing including for other specific processing situations as provided for in Chapter IX.

  • The basis for the processing referred to in point (c) and (e) of paragraph 1 shall be laid down by:

    • (a) Union law; or

    • (b) Member State law to which the controller is subject.
      The purpose of the processing shall be determined in that legal basis or, as regards the processing referred to in point (e) of paragraph 1, shall be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. That legal basis may contain specific provisions to adapt the application of rules of this Regulation, inter alia: the general conditions governing the lawfulness of processing by the controller; the types of data which are subject to the processing; the data subjects concerned; the entities to, and the purposes for which, the personal data may be disclosed; the purpose limitation; storage periods; and processing operations and processing procedures, including measures to ensure lawful and fair processing such as those for other specific processing situations as provided for in Chapter IX. The Union or the Member State law shall meet an objective of public interest and be proportionate to the legitimate aim pursued.

  • Where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject's consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1), the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia:

    • (a) any link between the purposes for which the personal data have been collected and the purposes of the intended further processing;

    • (b) the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller;

    • (c) the nature of the personal data, in particular whether special categories of personal data are processed, pursuant to Article 9, or whether personal data related to criminal convictions and offences are processed, pursuant to Article 10;

    • (d) the possible consequences of the intended further processing for data subjects;

    • (e) the existence of appropriate safeguards, which may include encryption or pseudonymisation.

· GDPR Article 6 Compliance Guide

Article 6 of the GDPR establishes the six legal bases for processing personal data. Understanding and correctly applying these bases is fundamental for any business handling personal information. Here's how to approach compliance in a practical, actionable way:

The Six Legal Bases: When to Use Each One

1. Consent

When to use it: For marketing communications, optional services, or when no other basis applies.

Implementation steps:

  • Design clear, specific consent requests using plain language

  • Implement checkbox mechanisms (no pre-ticked boxes)

  • Maintain comprehensive consent records

  • Create simple consent withdrawal mechanisms

2. Contract Performance

When to use it: For processing necessary to deliver services or products the individual has requested.

Implementation steps:

  • Document which data points are strictly necessary for fulfilling each contract

  • Review data collection forms to ensure you only collect what's needed

  • Map the relationship between contractual obligations and data processing activities

3. Legal Obligation

When to use it: When processing is required by law (tax regulations, employment law, etc.).

Implementation steps:

  • Identify and document all relevant legal requirements

  • Specify which data processing activities fulfill which legal obligations

  • Review periodically to ensure compliance with changing laws

4. Vital Interests

When to use it: In emergency situations to protect someone's life.

Implementation steps:

  • Document scenarios where this might apply in your context

  • Create emergency protocols for processing data in life-threatening situations

  • Train staff on proper application of this limited basis

5. Public Interest

When to use it: Primarily for public authorities or organizations performing public tasks.

Implementation steps:

  • Identify if your organization performs public tasks

  • Document the specific public interest tasks requiring data processing

  • Reference relevant laws authorizing the processing

6. Legitimate Interests

When to use it: For processing that benefits your business without overriding individual rights.

Implementation steps:

  • Conduct and document Legitimate Interest Assessments (LIAs) that:

    • Identify the legitimate interest

    • Demonstrate necessity

    • Balance against individual rights

  • Review regularly as circumstances change

Practical Implementation Strategy

Step 1: Data Processing Inventory

Create a comprehensive inventory of all personal data processing activities, including:

  • Categories of data collected

  • Purposes of processing

  • Current legal basis relied upon

Step 2: Legal Basis Assignment

For each processing activity:

  • Determine the most appropriate legal basis

  • Document your reasoning

  • Ensure you're not relying on consent when another basis would be more appropriate

Step 3: Privacy Notices

Update your privacy notices to clearly communicate:

  • Which legal basis applies to each processing activity

  • The legitimate interests pursued (if applicable)

  • Rights relevant to each legal basis

Step 4: Process Documentation

Create operational procedures that:

  • Guide staff through legal basis application

  • Include decision trees for selecting appropriate bases

  • Detail how to handle rights requests related to each basis

Step 5: Regular Review Mechanism

Implement quarterly or biannual reviews to:

  • Verify legal bases remain appropriate

  • Assess if processing purposes have changed

  • Update documentation as needed

· GDPR Article 6 Compliance Guide

Article 6 of the GDPR establishes the six legal bases for processing personal data. Understanding and correctly applying these bases is fundamental for any business handling personal information. Here's how to approach compliance in a practical, actionable way:

The Six Legal Bases: When to Use Each One

1. Consent

When to use it: For marketing communications, optional services, or when no other basis applies.

Implementation steps:

  • Design clear, specific consent requests using plain language

  • Implement checkbox mechanisms (no pre-ticked boxes)

  • Maintain comprehensive consent records

  • Create simple consent withdrawal mechanisms

2. Contract Performance

When to use it: For processing necessary to deliver services or products the individual has requested.

Implementation steps:

  • Document which data points are strictly necessary for fulfilling each contract

  • Review data collection forms to ensure you only collect what's needed

  • Map the relationship between contractual obligations and data processing activities

3. Legal Obligation

When to use it: When processing is required by law (tax regulations, employment law, etc.).

Implementation steps:

  • Identify and document all relevant legal requirements

  • Specify which data processing activities fulfill which legal obligations

  • Review periodically to ensure compliance with changing laws

4. Vital Interests

When to use it: In emergency situations to protect someone's life.

Implementation steps:

  • Document scenarios where this might apply in your context

  • Create emergency protocols for processing data in life-threatening situations

  • Train staff on proper application of this limited basis

5. Public Interest

When to use it: Primarily for public authorities or organizations performing public tasks.

Implementation steps:

  • Identify if your organization performs public tasks

  • Document the specific public interest tasks requiring data processing

  • Reference relevant laws authorizing the processing

6. Legitimate Interests

When to use it: For processing that benefits your business without overriding individual rights.

Implementation steps:

  • Conduct and document Legitimate Interest Assessments (LIAs) that:

    • Identify the legitimate interest

    • Demonstrate necessity

    • Balance against individual rights

  • Review regularly as circumstances change

Practical Implementation Strategy

Step 1: Data Processing Inventory

Create a comprehensive inventory of all personal data processing activities, including:

  • Categories of data collected

  • Purposes of processing

  • Current legal basis relied upon

Step 2: Legal Basis Assignment

For each processing activity:

  • Determine the most appropriate legal basis

  • Document your reasoning

  • Ensure you're not relying on consent when another basis would be more appropriate

Step 3: Privacy Notices

Update your privacy notices to clearly communicate:

  • Which legal basis applies to each processing activity

  • The legitimate interests pursued (if applicable)

  • Rights relevant to each legal basis

Step 4: Process Documentation

Create operational procedures that:

  • Guide staff through legal basis application

  • Include decision trees for selecting appropriate bases

  • Detail how to handle rights requests related to each basis

Step 5: Regular Review Mechanism

Implement quarterly or biannual reviews to:

  • Verify legal bases remain appropriate

  • Assess if processing purposes have changed

  • Update documentation as needed

· GDPR Article 6 Compliance Guide

Article 6 of the GDPR establishes the six legal bases for processing personal data. Understanding and correctly applying these bases is fundamental for any business handling personal information. Here's how to approach compliance in a practical, actionable way:

The Six Legal Bases: When to Use Each One

1. Consent

When to use it: For marketing communications, optional services, or when no other basis applies.

Implementation steps:

  • Design clear, specific consent requests using plain language

  • Implement checkbox mechanisms (no pre-ticked boxes)

  • Maintain comprehensive consent records

  • Create simple consent withdrawal mechanisms

2. Contract Performance

When to use it: For processing necessary to deliver services or products the individual has requested.

Implementation steps:

  • Document which data points are strictly necessary for fulfilling each contract

  • Review data collection forms to ensure you only collect what's needed

  • Map the relationship between contractual obligations and data processing activities

3. Legal Obligation

When to use it: When processing is required by law (tax regulations, employment law, etc.).

Implementation steps:

  • Identify and document all relevant legal requirements

  • Specify which data processing activities fulfill which legal obligations

  • Review periodically to ensure compliance with changing laws

4. Vital Interests

When to use it: In emergency situations to protect someone's life.

Implementation steps:

  • Document scenarios where this might apply in your context

  • Create emergency protocols for processing data in life-threatening situations

  • Train staff on proper application of this limited basis

5. Public Interest

When to use it: Primarily for public authorities or organizations performing public tasks.

Implementation steps:

  • Identify if your organization performs public tasks

  • Document the specific public interest tasks requiring data processing

  • Reference relevant laws authorizing the processing

6. Legitimate Interests

When to use it: For processing that benefits your business without overriding individual rights.

Implementation steps:

  • Conduct and document Legitimate Interest Assessments (LIAs) that:

    • Identify the legitimate interest

    • Demonstrate necessity

    • Balance against individual rights

  • Review regularly as circumstances change

Practical Implementation Strategy

Step 1: Data Processing Inventory

Create a comprehensive inventory of all personal data processing activities, including:

  • Categories of data collected

  • Purposes of processing

  • Current legal basis relied upon

Step 2: Legal Basis Assignment

For each processing activity:

  • Determine the most appropriate legal basis

  • Document your reasoning

  • Ensure you're not relying on consent when another basis would be more appropriate

Step 3: Privacy Notices

Update your privacy notices to clearly communicate:

  • Which legal basis applies to each processing activity

  • The legitimate interests pursued (if applicable)

  • Rights relevant to each legal basis

Step 4: Process Documentation

Create operational procedures that:

  • Guide staff through legal basis application

  • Include decision trees for selecting appropriate bases

  • Detail how to handle rights requests related to each basis

Step 5: Regular Review Mechanism

Implement quarterly or biannual reviews to:

  • Verify legal bases remain appropriate

  • Assess if processing purposes have changed

  • Update documentation as needed

‹ Article 5

Principles relating to processing of personal data

Article 7 ›

Conditions for consent

GDPR-CCPA

GDPR

GDPR Insights

CCPA/CPRA

CCPA/CPRA Insights

AI Insights

GDPR-CCPA

GDPR

GDPR Insights

CCPA/CPRA

CCPA/CPRA Insights

AI Insights

GDPR-CCPA

GDPR

GDPR Insights

CCPA/CPRA

CCPA/CPRA Insights

AI Insights