Article 6 (GDPR)

Under the GDPR, processing personal data is prohibited unless it falls under one of the six lawful bases defined in Article 6. Choosing the correct legal basis is foundational: it determines what rights individuals can exercise and what obligations apply to the organization.

  • Consent: The individual has given clear consent for a specific purpose.
  • Contract: Processing is necessary to fulfill a contract with the individual.
  • Legal obligation: Processing is required by law.
  • Vital interests: Processing is necessary to protect someone's life.
  • Public task: Processing is in the public interest.
  • Legitimate interests: The controller has a legitimate interest not overridden by individual rights.

Consent and legitimate interests are the most commonly invoked in commercial contexts. Consent must be freely given, specific, informed, and unambiguous, and must be as easy to withdraw as to give. Legitimate interests requires a balancing test demonstrating that processing does not unduly override individual rights. Organizations must document their legal basis for each processing activity in their ROPA and cannot retroactively switch bases when challenged.