Article 6

The GDPR requires that data controllers and processors establish and document a lawful basis before processing any personal data. Article 6 outlines the six scenarios for lawful data processing:

Consent - The data subject consents knowingly and unambiguously.

Contract - Data processing is necessary for fulfilling or entering into an agreed-upon contract.

Legal obligation - A data controller’s legal obligations require it.

Vital interests - Data processing will protect an interest “which is essential for the life of the data subject.”

Public interest - Data processing is required for a task that is legal and completed in the “public interest.”

Legitimate interest - The data controller can offer a “legitimate interest” that doesn’t breach a user’s “fundamental rights and freedoms”

The unifying theme between all the lawful processing scenarios is that they are tied to a specific reason or purpose. According to the Information Commissioner’s Office:

No single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on your purpose and relationship with the individual.

It’s important to note that lawful basis must be identified and documented (internally and in your public privacy policy) before data processing starts. Be mindful during this process—once you establish one lawful basis, it’s not recommended (and potentially not legal) to switch to a different one in the future.

It’s also important to note that documenting lawful basis does not give an organization data processing carte blanche, meaning it can’t be used to justify data processing that doesn’t actually need to happen. If the same purpose can easily be achieved without data processing, lawful basis doesn’t apply.