TOOLS AND TRACKERSMEMBER

Refresher: The GDPR's Six Legal Bases for Data Processing

This resource provides a refresher on the six bases for lawful processing under Article 6 of the EU General Data Protection Regulation.

Published

Contributors:

Müge Fazlioglu

CIPP/E, CIPP/US

Principal Researcher, Privacy Law and Policy

IAPP

This resource provides a refresher on the six bases for lawful processing under Article 6 of the EU General Data Protection Regulation. Given the fines levied in January 2023 by the Irish Data Protection Commission against Meta Ireland, this resource explains the scope of the Article 6 lawful bases for processing, further considerations for determining when each applies, relevant recitals, additional IAPP guidance and resources from supervisory authorities.

There are six available bases within Article 6(1) Lawfulness of processing: consent, contract, legal obligation, vital interest, public task and legitimate interest. Controllers must identify a basis for processing by the time collection of data occurs. Per Article 13(1)(3), controllers must also inform the data subject of the legal basis for processing at the time the data is collected from them.

Legal basis: Consent

Definition/Application
The subject has freely given specific, informed and unambiguous consent to process the data for one or more specific purposes.

Further considerations
Consent agreement must be “clearly distinguishable from the other matters” and presented in “clear and plain language.” The data subject can withdraw consent at any time.

Relevant recitals: 32, 42, 43

Legal basis: Contract

Definition/Application
Processing is necessary for performance of a contract to which the data subject is a party.

Further considerations
Processing must be necessary to deliver a contractual or requested service to a person.

Relevant recitals: 44

Legal basis: Legal obligation

Definition/Application
Processing is necessary for compliance with a legal obligation to which the controller is subject.

Further considerations
Processing must be necessary to comply with common law or statutory obligation. This does not apply to contractual obligations.

Relevant recitals: 45

Legal basis: Vital interests

Definition/Application
Processing is necessary to protect the vital interests of the data subject or another natural person.

Contributors:

Müge Fazlioglu

CIPP/E, CIPP/US

Principal Researcher, Privacy Law and Policy

IAPP

MEMBER

Unlock this exclusive content and more

Join the IAPPAlready a member? Sign in

Membership opens up a world of resources

In-depth knowledge

From original research reports and daily news coverage to legislative trackers and infographics, we have the information you need to stay ahead of change.

A global network

Make valuable professional connections through more than 160 local IAPP KnowledgeNet chapters in 70 countries.

Access to the experts

Connect with top thinkers in privacy, AI governance and cybersecurity for fresh ideas and insights.

Learn what you get from membership