Skip to main content

Article 6 of the GDPR: the legal basis for processing

· 3 min read

One of the key principles of the GDPR is that the processing of personal data must be lawful. In other words, there must be a legal basis for any processing activity that is carried out. The GDPR sets out six grounds on which the processing of personal data is considered to be lawful: consent, contract, legal obligation, vital interests, public interest, or official authority.

In most cases, more than one of these grounds will apply. For example, processing may be necessary for the performance of a contract, but it may also be carried out with the data subject's consent.

What is the Lawfulness of processing?

The GDPR sets out the lawfulness of processing, meaning that personal data must be processed legally, fairly, and transparently. There are six lawful bases for processing, and at least one must apply in order for processing to be GDPR compliant.

  1. Consent – The data subject has given permission for their data to be processed for a specific purpose.
  2. Contractual necessity – Processing is necessary in order to enter into or perform a contract.
  3. Legal obligation – Processing is required by law.
  4. Vital interests – Processing is necessary to protect someone's life.
  5. Public interest – Processing is necessary for the performance of a task carried out in the public interest or under official authority.
  6. Legitimate interest – Processing is necessary for the legitimate interests of the controller unless overridden by the rights of the data subject.

Read more: Can I use "legitimate interest" to justify marketing emails and cold messages?

In summary, GDPR requires that personal data must be processed lawfully, and at least one of these six lawful bases must apply.

If a customer raises a complaint about the absence of a legal basis for data processing, regulatory authorities may investigate and impose fines for non-compliance.

GDPR places significant importance on accountability and proactive compliance. It is essential to prioritize data protection and ensure that you have a valid legal basis for all data processing activities.

Regulatory authorities have the power to impose fines for non-compliance. The severity of fines depends on factors like the nature, gravity, and duration of the infringement, the number of data subjects affected, and previous violations.

What should you do if a customer complains?

If you cannot offer a valid legal basis for the data processing in question, follow these steps:

  1. Investigate the matter – Review data processing activities, documentation, and agreements.
  2. Notify appropriate parties – Inform your organization's Data Protection Officer (DPO), if applicable.
  3. Rectify the situation – Obtain valid consent, establish a different legal basis, or cease processing.
  4. Document the incident – Maintain detailed records of the complaint, investigation, and actions taken.
  5. Communicate with the customer – Provide a clear explanation of the situation and resolution.

Free online solutions for GDPR compliance

GDPR compliance doesn't have to be complicated or expensive. In fact, it can be easily achieved with the right tools and resources. All you need are the correct GDPR templates readily available online. Once you have these, simply make them accessible to your users in the appropriate places. That's all it takes to comply with GDPR requirements.

Don't let law consultants convince you that GDPR compliance is a complex and costly process - it's really not. With the right approach, GDPR compliance can be simple and affordable.

LoginSign up