Resource Center / Tools and Trackers / Refresher: The GDPR's Six Legal Bases for Data Processing
Refresher: The GDPR's Six Legal Bases for Data Processing
This resource provides a refresher on the six bases for lawful processing under Article 6 of the EU General Data Protection Regulation.
Published: January 2023
Contributor:
This resource provides a refresher on the six bases for lawful processing under Article 6 of the EU General Data Protection Regulation. Given the fines levied in January 2023 by the Irish Data Protection Commission against Meta Ireland, this resource explains the scope of the Article 6 lawful bases for processing, further considerations for determining when each applies, relevant recitals, additional IAPP guidance and resources from supervisory authorities.
There are six available bases within Article 6(1) Lawfulness of processing: consent, contract, legal obligation, vital interest, public task and legitimate interest. Controllers must identify a basis for processing by the time collection of data occurs. Per Article 13(1)(3), controllers must also inform the data subject of the legal basis for processing at the time the data is collected from them.
-
expand_more
Additional guidance and resources
The GDPR's Six Legal Bases for Data Processing
Legal basis: Consent
Definition/Application
The subject has freely given specific, informed and unambiguous consent to process the data for one or more specific purposes.
Further considerations
Consent agreement must be “clearly distinguishable from the other matters” and presented in “clear and plain language.” The data subject can withdraw consent at any time.
Legal basis: Contract
Definition/Application
Processing is necessary for performance of a contract to which the data subject is a party.
Further considerations
Processing must be necessary to deliver a contractual or requested service to a person.
Relevant recitals: 44
Legal basis: Legal obligation
Definition/Application
Processing is necessary for compliance with a legal obligation to which the controller is subject.
Further considerations
Processing must be necessary to comply with common law or statutory obligation. This does not apply to contractual obligations.
Relevant recitals: 45
Legal basis: Vital interests
Definition/Application
Processing is necessary to protect the vital interests of the data subject or another natural person.
Further considerations
Processing must be necessary to protect someone’s life. This cannot be relied on for health or other special category data if the person can give consent.
Relevant recitals: 46
Legal basis: Public task
Definition/Application
Processing is necessary for performance of a task carried out in the public interest or in the interest of an official authority vested in the controller.
Further considerations
This applies to functions and powers set out in law and is mostly relevant to public authorities and organizations exercising official authority.
Relevant recitals: 45, 50, 54, 55, 56, 154
Legal basis: Legitimate interests
Definition/Application
Processing is necessary for a legitimate interest pursued by the controller or a third party.
Further considerations
This requires “balancing test.” It may be overridden by the fundamental rights and freedoms of the data subject, particularly when the data subject is a child.
Relevant recitals: 47, 48, 49, 69