Art6

GDPR Home
GDPR Article 6: Lawfulness of Processing
Analysis for Data Protection Officers, and Privacy Compliance Professionals
Data Protection Law
GDPR Compliance
Doctrinal Overview
Article 6 of the General Data Protection Regulation establishes the exhaustive legal bases under which personal data processing is lawful. It operationalises the principle of lawfulness, fairness, and transparency enshrined in Article 5(1)(a), transforming abstract legitimacy into enforceable, justiciable conditions. Processing is lawful only if at least one of the six prescribed bases applies — and crucially, Article 6 is not merely a classification exercise.
1
Consent
Art. 6(1)(a)
2
Contract
Art. 6(1)(b)
3
Legal Obligation
Art. 6(1)(c)
4
Vital Interests
Art. 6(1)(d)
5
Public Task
Art. 6(1)(e)
6
Legitimate Interests
Art. 6(1)(f)
Article 6 imposes accountability obligations, requiring demonstrable alignment between purpose, necessity, and legal justification — not mere selection of a basis.
Chapter I
The Six Legal Bases at a Glance
Each basis carries distinct legal tests, operational constraints, and accountability requirements. Understanding the hierarchy and interplay between bases is essential for robust compliance architecture.
1
Consent
Freely given, specific, informed, and unambiguous — but revocable at any time, making it operationally the most fragile basis.
2
Contract
Strictly necessary for contractual performance or pre-contractual steps at the data subject's request — not mere commercial convenience.
3
Legal Obligation
Mandated by binding EU or Member State law — this basis overrides consent withdrawal within its strict statutory scope.
4
Vital Interests
A last-resort basis applicable only where life or physical integrity is at risk and the data subject cannot consent.
5
Public Task
Requires a clear legal mandate in the public interest or exercise of official authority — closely tied to administrative law.
6
Legitimate Interests
The most flexible yet most scrutinised basis — requiring a rigorous three-part test and documented balancing exercise.
Chapter II
Consent & Contract: The Two Most Frequently Invoked Bases
Consent — Art. 6(1)(a)
Must be freely given, specific, informed, and unambiguous. Controllers must maintain dynamic systems capable of honouring withdrawal at any time. Key risks include consent fatigue, dark patterns, and cross-system synchronisation failures.
No imbalance of power permissible
Purpose-specific and granular
Withdrawable without detriment
Requires Consent Management Platform (CMP)
Consent is revocable. Systems must support dynamic legality — processing must cease immediately upon withdrawal.
Contract — Art. 6(1)(b)
Applies only where processing is strictly necessary for the performance of a contract to which the data subject is party, or to take pre-contractual steps at their request. The EDPB's interpretation sharply narrows this basis — many digital services improperly overextend it to analytics and behavioural profiling.
Strict necessity — not convenience
Direct nexus to contractual performance
Cannot justify ancillary marketing processing
Requires contractual necessity assessment tool
Common misuse: invoking Art. 6(1)(b) for analytics or targeted advertising without genuine contractual necessity.
Legal Obligation, Vital Interests & Public Task
These three bases share a common characteristic: they derive their legitimacy from external legal or humanitarian frameworks, rather than the data subject's will. Each carries stringent preconditions that must be clearly documented.
Legal Obligation — Art. 6(1)(c)
Processing mandated by a binding EU or Member State legal norm — such as tax reporting, employment records, or anti-money laundering obligations. This basis overrides consent withdrawal but is strictly confined to the obligation's scope. Requires a legal obligation mapping register and continuous regulatory monitoring.
Vital Interests — Art. 6(1)(d)
A last-resort basis applicable only where life or physical integrity is at immediate risk and the data subject is incapable of providing consent — such as emergency healthcare or disaster response. Requires logged access override mechanisms and robust incident linkage systems.
Public Task — Art. 6(1)(e)
Processing necessary for tasks carried out in the public interest or the exercise of official authority vested in the controller. Requires a clear statutory mandate — applicable to law enforcement, public health surveillance, and regulatory bodies. Closely tied to administrative law and requires a public task authorisation register.
Legitimate Interests — Art. 6(1)(f)
The most flexible yet most scrutinised of all legal bases. Inapplicable to public authorities in the performance of their tasks, and subject to a three-part cumulative test that must be rigorously documented.
① Purpose Test
Is the interest legitimate, lawful, and not contrary to law? The interest must be real, present, and sufficiently articulated — vague commercial interests do not suffice.
② Necessity Test
Is the processing necessary to achieve the purpose? The controller must demonstrate that no less intrusive means are reasonably available — proportionality is central.
③ Balancing Test
Do the data subject's rights and freedoms override the interest? This requires weighing the nature of data, reasonable expectations, and potential impact on the individual.
Regulatory scrutiny is high. Controllers must maintain a Legitimate Interest Assessment (LIA) — a living document reviewable upon supervisory authority request or data subject objection.
Chapter III
Cross-Cutting Technical & Organisational Controls
Article 6 compliance requires a structured architecture of 30 interlocking controls, spanning both technical systems and organisational governance. The table below maps each control to its type, function, and Article 6 relevance.
Controls 11–30: Governance, Technical Enforcement & Monitoring
Chapter IV
Operationalising Article 6 at Scale
The central challenge for advanced practitioners is not interpretation — it is operationalisation at scale, where legal theory must be embedded into system architecture. Compliance is engineered, not declared.
Dynamic Validity
Legal bases are not static. Consent may be withdrawn; statutory obligations may be amended; legitimate interests may be challenged. Systems must detect and respond to changes in real time, automatically ceasing or adjusting processing as the legal basis evolves.
Technical Enforcement
Compliance must be embedded at the architectural level — via purpose limitation controls, lawfulness validation APIs, RBAC systems, and data retention schedulers. A valid legal basis in a policy document is insufficient without corresponding system-level enforcement.
Demonstrable Accountability
Under Article 5(2) GDPR, the controller must be able to demonstrate compliance. Evidence — audit logs, LIAs, RoPAs, DPIAs, consent records — is as legally material as correctness. Accountability is a continuous, documented obligation, not a point-in-time attestation.
Concluding Observations
Article 6 compliance is not achieved by selecting a legal basis — it is achieved by engineering systems that enforce and continuously validate that basis across the full lifecycle of processing. The following synthesis distils the analytical framework into actionable principles for advanced compliance professionals.
Selection Is Necessary but Not Sufficient
Identifying the applicable basis is the starting point, not the endpoint. Controllers must demonstrate ongoing alignment between purpose, necessity, and legal justification — revisiting bases as circumstances change.
Architecture Is Compliance
The 30 cross-cutting controls identified in this analysis represent the minimum technical and organisational infrastructure required. Legal compliance cannot be decoupled from system design — the two are coextensive.
Documentation Is Enforcement
Supervisory authorities assess accountability through evidence: RoPAs, LIAs, DPIAs, audit trails, and consent records. In enforcement proceedings, an undocumented basis is effectively no basis at all.
Basis Fragility Varies by Type
Consent is revocable; legitimate interests are challengeable; public task requires statutory grounding. Controllers must architect for the specific fragility profile of each basis, with fallback mechanisms where multiple bases may apply concurrently.
"For advanced practitioners, the challenge is not interpretation, but operationalisation at scale — where legal theory meets system design."
Chapter V
Article 6(2) & 6(3): Member State Competence and the Statutory Grounding Requirement
Paragraphs 2 and 3 of Article 6 constitute the structural interface between the GDPR's uniform supranational framework and the residual legislative competence of Member States. They are not merely procedural addenda — they define the constitutional architecture within which Arts. 6(1)(c) and 6(1)(e) operate, and impose substantive requirements on the quality and accessibility of the national or Union law that must underpin processing under those bases.
Art. 6(2) — Member State Adaptation Power
Member States may maintain or introduce more specific provisions to adapt the application of the GDPR with regard to processing under Art. 6(1)(c) (legal obligation) and Art. 6(1)(e) (public task). This opening clause permits national legislators to: (i) specify more precisely the conditions under which processing is lawful; (ii) introduce additional safeguards or restrictions; and (iii) address specific processing situations enumerated in Chapter IX (e.g., employment, scientific research, public interest archiving). Crucially, Art. 6(2) does not authorise Member States to expand the scope of lawful processing beyond what Art. 6(1) permits — it is an adaptation power, not a derogation power. National provisions must remain within the GDPR's normative envelope.
Art. 6(3) — The Statutory Grounding Requirement
The legal basis for processing under Art. 6(1)(c) and Art. 6(1)(e) must be laid down by: (a) Union law; or (b) Member State law to which the controller is subject. The purpose of the processing shall be determined in that legal basis. Art. 6(3) further permits the legal basis to contain specific provisions adapting GDPR rules, including: the general conditions governing lawfulness; the types of data subject to processing; the data subjects concerned; the entities to which data may be disclosed; purpose limitations; storage periods; and processing operations and procedures. Recital 41 confirms that the legal basis need not be an explicit statutory provision — it suffices that the law is foreseeable and accessible to those subject to it, consistent with the rule-of-law requirements of the ECHR and the EU Charter.
Doctrinal Significance & Compliance Implications
The Foreseeability Standard
Following Recital 41 and ECtHR jurisprudence, the legal basis must be formulated with sufficient precision to enable individuals to foresee the consequences of processing. Vague or broadly worded statutory mandates will not satisfy Art. 6(3) — the purpose of processing must be determinable from the legal basis itself.
Purpose Determination & Limitation
Art. 6(3) requires that the purpose of processing be determined in the legal basis. This creates a hard constraint: controllers relying on Art. 6(1)(c) or (e) cannot unilaterally expand processing purposes beyond those specified in the enabling law. Any purpose extension requires a new or amended statutory basis.
Interaction with Art. 6(4) & Compatible Processing
Where processing under Art. 6(1)(c) or (e) is grounded in a statutory basis, that same basis may authorise further processing for compatible purposes (Art. 6(4)). However, the compatibility assessment is not displaced — it is informed by the statutory framework, which may itself define the permissible scope of further processing.
Member State Divergence Risk
Art. 6(2) has generated significant regulatory fragmentation. Member States have exercised their adaptation powers inconsistently, producing divergent national regimes — particularly in employment (Art. 88), health data (Art. 9(2)(h)–(i)), and public sector processing. Controllers operating across jurisdictions must map applicable national implementing legislation for each Art. 6(1)(c)/(e) processing activity.
"The statutory grounding requirement of Art. 6(3) is not a formality — it is the mechanism by which the rule of law is operationalised within the GDPR's framework of lawful processing. An enabling law that fails the foreseeability standard is not a legal basis at all."