Article 6 of the GDPR: the legal basis for processing

Short answer

One of the key principles of the GDPR is that the processing of personal data must be lawful. In other words, there must be a legal basis for any processing activity that is carried out. The GDPR sets out six grounds on which the processing of personal data is considered to be lawful: consent, contract, legal obligation, vital interests, public interest or official authority.

In most cases, more than one of these grounds will apply. For example, processing may be necessary for the performance of a contract, but it may also be carried out with the data subject’s consent.

What is the Lawfulness of processing?

The GDPR sets out the lawfulness of processing, meaning that personal data must be processed legally, fairly and transparently. There are six lawful bases for processing, and at least one must apply in order for processing to be GDPR compliant.

  1. The first lawful basis is consent, where the data subject has given permission for their data to be processed for a specific purpose. Read more: Can I use data for different purposes to which the user consented originally?
  2. The second is contractual necessity, where processing is necessary in order to enter into or perform a contract.
  3. The third is a legal obligation, where GDPR requires the controller to process the data.
  4. The fourth is vital interests, where processing is necessary to protect someone’s life.
  5. The fifth is public interest, where processing is necessary for the performance of a task carried out in the public interest or under official authority.
  6. Finally, the sixth lawful basis is legitimate interest, where processing is necessary for the legitimate interests of the controller, except where the rights and freedoms of the data subject override those interests.

Read more: Can I use «legitimate interest» to justify marketing emails and cold messages?

In summary, GDPR requires that personal data must be processed lawfully, and there are six lawful bases for processing. At least one of these must apply in order for GDPR to be complied with.

What happens if a customer complains and you can’t offer a legal basis?

If a customer raises a complaint about the absence of a legal basis for data processing, and the regulatory authorities investigate and find non-compliance, brace yourself for a dance with fines that might just crash the party.

GDPR places significant importance on accountability and proactive compliance. It is essential to prioritize data protection and ensure that you have a valid legal basis for all data processing activities.

Under the GDPR, regulatory authorities have the power to impose fines for non-compliance with its provisions. The severity of fines depends on several factors, including the nature, gravity, and duration of the infringement, the number of data subjects affected, the level of cooperation with the authorities, and any previous infringements.

What should you do if a customer complains?

If you cannot offer a valid legal basis for the data processing in question, you may want to follow some steps:

  1. Investigate the matter: review the data processing activities, documentation, and any relevant agreements or contracts.
  2. Notify the appropriate parties, including your organization’s Data Protection Officer (DPO), if appointed.
  3. Rectify the situation: such as obtaining valid consent from the data subject, establishing a different legal basis (e.g., legitimate interest, contractual necessity, legal obligation), or ceasing the processing altogether if no valid basis can be identified.
  4. Document the incident: maintain detailed records of the complaint, your investigation, and the steps taken to address the situation. This may be required if regulatory authorities request evidence of your actions.
  5. Communicate with the customer who raised the complaint and provide a clear and transparent explanation of the situation.

Which are the lawful bases for processing under GDPR?

The GDPR sets out the lawfulness of processing, meaning that personal data must be processed legally, fairly and transparently. There are six lawful bases for processing: consent, contract, legal obligation, vital interests, public interest and legitimate interest, and at least one must apply in order for processing to be GDPR compliant.

Here’s the original text from Regulation (EU) 2016/679 General Data Protection Regulation.

Article 6: Lawfulness of processing

1. Processing shall be lawful only if and to the extent that at least one of the following applies:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(c) processing is necessary for compliance with a legal obligation to which the controller is subject;

(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.


Free online solutions for GDPR compliance

GDPR compliance doesn’t have to be complicated or expensive. In fact, it can be easily achieved with the right tools and resources. All you need are the correct GDPR templates readily available online. Once you have these, simply make them accessible to your users in the appropriate places. That’s all it takes to comply with GDPR requirements. So don’t let law consultants convince you that GDPR compliance is a complex and costly process – it’s really not. With the right approach, GDPR compliance can be simple and affordable