Article6(1)(e)

GDPR Home
GDPR Article 6(1)(e): A Constitutional Gateway
An advanced practitioners' guide to public task and official authority — where administrative law, fundamental rights, and data protection converge.
GDPR Article 6(1)(e): Public Task and Official Authority
The Two Limbs of Article 6(1)(e)
Processing is lawful where it is necessary for the performance of a task carried out in the public interest, or necessary for the exercise of official authority vested in the controller.
Who Is This Provision For?
Public authorities, public bodies, and regulators
Courts acting in administrative capacities and statutory agencies
Private entities entrusted with public functions by law
Outsourced service providers acting on behalf of public authorities where the underlying task remains a public task
How It Differs from Other Legal Bases
Unlike consent (6(1)(a)): Processing does not depend on a freely given choice. Withdrawal of consent is irrelevant because consent is not the legal basis.
Unlike legitimate interests (6(1)(f)): No balancing test is required. The public task itself provides the legal justification — though proportionality and necessity remain mandatory.
Unlike contract (6(1)(b)): The basis is rooted in public law, not private agreement.
Core Elements of Article 6(1)(e)
Four cumulative requirements must all be satisfied. Failure of any single element invalidates reliance on Article 6(1)(e).
1
Public-Interest Task or Official Authority
A genuine public-interest task or officially conferred authority must exist — not merely a convenient or beneficial purpose.
2
Established in Union or Member State Law
The task or authority must be grounded in EU law or national legislation. Controllers cannot self-designate their own public tasks.
3
Processing Must Be Necessary
A rational, proportionate connection must exist between the processing activity and the public task. Less intrusive alternatives must be considered.
4
Full GDPR Compliance
All other GDPR principles and obligations under Article 5 and beyond must be satisfied simultaneously — Article 6(1)(e) is not a blanket exemption.
Failure of any single element invalidates reliance on Article 6(1)(e). All four requirements are cumulative, not alternative.
Meaning of "Task Carried Out in the Public Interest"
Public interest is not defined autonomously by the controller. The concept must be derived from EU law, national legislation, statutory instruments, constitutional mandates, or public-sector regulatory frameworks.
Appropriate Uses
Public health surveillance and disease notification systems
Tax administration and electoral administration
Social welfare and environmental protection monitoring
Education administration by public authorities
Child safeguarding and national archives
Public statistics, transportation safety oversight, financial supervision
Potentially Inappropriate Uses
A public authority operating a purely commercial loyalty programme
Marketing unrelated to statutory functions
Optional services lacking a legal mandate
Research projects where no legal basis establishes the public task
Processing performed merely because it is convenient
Meaning of "Official Authority"
Official authority involves powers conferred by law — not assumed, implied by convenience, or self-declared. The following indicators signal the presence of official authority.
Regulatory & Investigatory
Powers to investigate, inspect, and regulate conduct within a defined sector or jurisdiction.
Licensing & Permitting
Powers to grant, refuse, suspend, or revoke licences and permits.
Enforcement & Adjudication
Powers to enforce compliance, impose sanctions, and make binding administrative decisions.
Administrative Decision-Making
Powers to make determinations affecting individuals' rights, obligations, or entitlements.
Illustrative examples: A regulator investigating market abuse · A local authority issuing planning permits · A tax authority assessing liabilities · A licensing authority reviewing applications · An immigration authority processing visa applications.
The Requirement for a Legal Foundation
Article 6(3) is critical. Article 6(1)(e) cannot stand alone. The public task or official authority must be established by EU law or Member State law.
What the Underlying Law Should Identify
The purpose of processing and the relevant public function
The categories of processing contemplated
The conditions applicable to processing
Appropriate safeguards where required
Advanced Practitioner Questions
What precise statutory power authorises the task?
What legal instrument establishes the authority?
What specific processing activities are contemplated?
Does the law expressly or implicitly require the processing?
Article 6(2) permits Member States to maintain or introduce more specific provisions to adapt the application of Article 6(1)(e) — practitioners must always check national implementing legislation.
The Necessity Requirement
Necessity is often the most misunderstood element of Article 6(1)(e). It carries a precise legal meaning that is considerably more demanding than everyday usage suggests.
Necessity Does NOT Mean
Useful
Efficient
Desirable
Cost-Saving
Necessity DOES Mean
A rational connection exists between processing and the public task
The objective cannot reasonably be achieved through less intrusive means
The processing scope is proportionate to the aim pursued
Necessary Processing
Collecting taxpayer identifiers to administer taxation
Processing patient records to deliver public healthcare
Verifying identity before issuing passports
Potentially Unnecessary Processing
Collecting excessive demographic information unrelated to the task
Retaining records indefinitely without legal justification
Sharing data broadly when targeted disclosure would suffice
Relationship with the Principles of Article 5
Compliance with Article 6(1)(e) does not create an exemption from Article 5. A common compliance failure is treating Article 6(1)(e) as sufficient in itself whilst neglecting Article 5 requirements. All nine principles apply in full.
Lawfulness, Fairness & Transparency
Processing must have a valid legal basis, be conducted fairly, and individuals must be informed in a clear and accessible manner.
Purpose Limitation & Data Minimisation
Data must be collected for specified, explicit, and legitimate purposes. Only data that is adequate, relevant, and limited to what is necessary may be processed.
Accuracy & Storage Limitation
Data must be accurate and kept up to date. It must not be retained in identifiable form for longer than necessary for the public task.
Integrity, Confidentiality & Accountability
Appropriate technical and organisational security measures must be in place. Controllers must be able to demonstrate compliance with all principles.
Transparency Requirements
Individuals must be able to understand why their data is processed, which legal authority authorises processing, which public task is being performed, who receives the data, and what rights they hold.
What Individuals Must Understand
Why data is processed and which public task is being performed
Which legal authority authorises the processing
Who receives the data and in what circumstances
Applicable rights and how to exercise them
What Privacy Notices Must Explicitly Identify
Article 6(1)(e) as the lawful basis for processing
The specific statutory authority underpinning the task
Relevant legislative references enabling the processing
Articles 12, 13, and 14 set out the detailed transparency obligations. Controllers must satisfy all three in the context of Article 6(1)(e) processing.
Data Subject Rights Under Article 6(1)(e)
Rights remain applicable unless restricted by law. Public authorities often underestimate the scope of rights that continue to apply when relying on Article 6(1)(e).
Access & Rectification
Individuals retain the right to access their data (Article 15) and to have inaccurate data corrected (Article 16).
Restriction
The right to restrict processing (Article 18) applies in defined circumstances, including where accuracy is contested.
Right to Object (Article 21)
Controllers must generally stop processing unless they demonstrate compelling legitimate grounds overriding the individual's interests, rights and freedoms — or processing is for legal claims.
Complaint to Supervisory Authority
Individuals retain the right to lodge complaints with the relevant supervisory authority at any time.
The right to object under Article 21 has particular significance for Article 6(1)(e) processing. Public authorities frequently underestimate their obligations when objections are received.
Special Category Data Interlock
Article 6(1)(e) alone never authorises special category data processing. A separate Article 9 condition is always required. Controllers must identify both bases before any sensitive data is processed.
Common Article 9 Pairings
Art. 9(2)(g)
Substantial public interest
Art. 9(2)(h)
Health and social care
Art. 9(2)(i)
Public health
Art. 9(2)(j)
Research and statistics
Illustrative Example
A public health authority processing health records cannot rely solely on Article 6(1)(e). It must identify both Article 6(1)(e) and a valid Article 9 condition — typically Article 9(2)(h) or 9(2)(i) — before processing may lawfully proceed.
Criminal Offence Data
Criminal offence data requires Article 10 compliance in addition to Article 6(1)(e). Examples include police vetting, regulatory enforcement databases, and safeguarding checks. Article 6(1)(e) remains necessary but is not sufficient.
Automated Decision-Making Interlock
Public authorities relying on Article 6(1)(e) must also evaluate Article 22 obligations, applicable Member State legislation, and due process safeguards whenever automated processing is used to make decisions with significant effects on individuals.
1
Identify Automated Processing
Determine whether the system makes solely automated decisions producing legal or similarly significant effects.
2
Assess Article 22 Applicability
Evaluate whether an Article 22 exception applies — including where authorised by Union or Member State law with suitable safeguards.
3
Implement Due Process Safeguards
Ensure human review, the right to contest decisions, and meaningful explanation are built into the process.
Examples requiring Article 22 analysis: Welfare eligibility systems · Tax fraud detection algorithms · Automated licensing decisions · Benefits assessment tools.
Research, Statistics, and International Transfers
Research and Statistical Processing
Article 6(1)(e) often supports national statistics, public policy research, and official government research programmes. However, additional safeguards are required.
Article 89 — Safeguards for research, statistics, and archiving
Article 5(1)(b) — Compatible purposes principle
Article 9 — Where special category data is involved
International Transfers
Article 6(1)(e) does not authorise international transfers. Separate compliance with Chapter V is always required.
Controllers must assess:
Adequacy decisions issued by the Commission
Appropriate safeguards (SCCs, BCRs, etc.)
Transfer impact assessments
Derogations under Article 49 where applicable
Intersecting GDPR Articles
Article 6(1)(e) compliance requires simultaneous engagement with a wide range of GDPR provisions. The following reference map identifies every intersecting article that advanced practitioners must consider.
Twenty Cross-Cutting Technical Controls: Part I
Controls 1–7 address the foundational legal, governance, and data-management requirements for Article 6(1)(e) compliance.
Statutory Authority Mapping
Maintain a documented inventory linking every processing activity to specific statutory powers, delegated authority, or public-interest mandates.
Legal Basis Register
Record the exact Article 6 basis for every processing activity and document why Article 6(1)(e) is more appropriate than alternative legal bases.
Necessity Assessment Framework
Require documented analysis showing why each processing activity is necessary rather than merely beneficial.
Proportionality Review Process
Evaluate whether less intrusive alternatives exist and require justification for rejecting those alternatives.
Purpose Governance Control
Maintain controlled purpose statements linked to statutory objectives and prevent unauthorised purpose expansion.
Data Minimisation Engineering
Configure systems to collect only fields demonstrably required for the public task.
Structured Retention Management
Implement automated retention schedules aligned with legal mandates and enforce defensible disposal procedures.
Twenty Cross-Cutting Technical Controls: Part II
Controls 8–14 address change management, transparency, rights workflows, and specialist data governance requirements.
Control 8: Lawful-Basis Change Management
Require legal review whenever processing scope changes. Assess whether the original public-task mandate still applies to the modified activity.
Control 9: Records of Processing Automation
Maintain comprehensive Article 30 records integrated with operational systems to ensure accuracy and completeness.
Control 10: Transparency Management Programme
Ensure privacy notices accurately identify statutory authority, public task, purposes, recipients, retention periods, and rights.
Control 11: Data Subject Rights Workflow
Implement case-management systems capable of handling access, objection, rectification, restriction, and complaint requests within statutory timeframes.
Control 12: Article 21 Objection Assessment Process
Establish formal procedures for evaluating objections and documenting override justifications with compelling legitimate grounds.
Control 13: Special Category Data Gatekeeping
Require validation of both Article 6 and Article 9 conditions before processing sensitive data. No exceptions.
Control 14: Criminal-Offence Data Governance
Implement enhanced authorisation, logging, segregation, and legal review controls for all Article 10 processing activities.
Twenty Cross-Cutting Technical Controls: Part III
Controls 15–20 address impact assessment, privacy engineering, access control, audit, third-party governance, and continuous assurance.
Control 20: Continuous Compliance Assurance
Conduct recurring legal reviews, compliance audits, control testing, DPIA reassessments, legislative monitoring, and supervisory-guidance reviews to ensure processing remains necessary, proportionate, and legally authorised.
Control 19: Third-Party Governance
Ensure processors and delegated service providers operate strictly within the controller's public-task mandate. Verify contractual and operational compliance.
Control 18: Audit Logging and Accountability
Log collection, access, modification, disclosure, export, and deletion events. Monitor continuously for unauthorised use.
Control 17: Role-Based Access Control
Restrict access according to operational necessity and statutory responsibilities. Continuously review privilege allocations.
Control 16: Privacy-by-Design Architecture
Embed minimisation, pseudonymisation, access control, and segregation requirements into system design from the outset.
Control 15: DPIA Programme
Trigger Data Protection Impact Assessments for high-risk processing involving public-interest functions, as required by Article 35.
Advanced Practitioner Teaching Point
The most sophisticated understanding of Article 6(1)(e) is that it functions as a nexus between administrative law, constitutional principles, fundamental rights protection, sector-specific legislation, and data protection law.
The Wrong Questions
"Is this useful?"
"Is this efficient?"
"Do we have a public purpose?"
The Right Questions
"What precise legal authority creates the public task?"
"Why is this specific processing necessary for that task?"
"Can the same objective be achieved with less intrusive processing?"
"How is accountability evidenced?"
"Which additional GDPR provisions must be satisfied simultaneously?"
The Layered Compliance Framework
Mature Article 6(1)(e) compliance requires a layered legal, organisational, and technical control framework in which the following operate together — never as isolated activities:
Lawful Basis
Necessity & Proportionality
Transparency
Accountability
Security
Rights Protection