Article 6 explains the legal bases that organisations must rely on in order to process personal data lawfully. This means that organisations cannot collect or use someone’s personal data unless they have a valid legal reason for doing so. Article 6 is one of the most important parts of data protection law because it sets the foundation for fair and lawful data handling.
The article lists six lawful bases for processing: consent, contract, legal obligation, vital interests, public task, and legitimate interests. For example, consent applies when a person has clearly agreed to their data being used, while contract applies when processing is necessary to fulfil an agreement, such as delivering goods or services. Legal obligation covers situations where organisations must process data to comply with the law, such as keeping tax records.
Overall, Article 6 ensures that personal data is only processed when there is a clear and justified reason, protecting individuals from unnecessary or unfair data use. It promotes transparency, accountability, and trust, making sure organisations can explain and justify why they are using personal information.
| Section / Point | Summary | Notes / Examples |
|---|---|---|
| General principle | Personal data can only be processed **lawfully, fairly, and transparently**. | Organisations must have a valid legal basis before processing data. |
| Consent | Processing is lawful if the individual has given **freely given, specific, informed, and unambiguous consent**. | Example: ticking a checkbox for marketing emails after being informed. |
| Contract | Processing is necessary to **perform a contract** with the data subject. | Example: processing address to deliver purchased goods. |
| Legal obligation | Processing is necessary to **comply with the law**. | Example: keeping tax or employment records as required by law. |
| Vital interests | Processing is necessary to **protect the vital interests of the data subject** or another person. | Example: medical emergency where consent cannot be obtained. |
| Public task | Processing is necessary for performing a **task carried out in the public interest or official authority**. | Example: government health statistics or local authority services. |
| Legitimate interests | Processing is necessary for the **legitimate interests of the controller** or a third party, unless overridden by the data subject’s rights. | Example: fraud prevention, direct marketing, internal admin tasks. |
Article 1 – Article 2, Article 3, Article 4, Article 5, Article 6, Article 7 , Article 8