When organizations collect, use, or store personal data in the European Union (EU), they must comply with the General Data Protection Regulation (GDPR). One of the most fundamental requirements under this law is that any processing of personal data must have a lawful basis. Article 6 of the GDPR outlines these lawful bases, providing the legal justification for why data can be processed.
Understanding Article 6 is crucial for compliance — and even more importantly, knowing how it applies in real-world situations helps businesses make correct decisions. This article explains each lawful basis in Article 6 and provides practical examples for different industries and contexts.
What Article 6 of the GDPR States
Article 6 of the GDPR is titled “Lawfulness of processing.” It describes six lawful bases that can justify the processing of personal data. At least one of these must apply for the processing to be considered lawful.
The six bases are:
-
Consent – The individual has given clear consent for the processing.
-
Contract – Processing is necessary for the performance of a contract.
-
Legal obligation – Processing is necessary to comply with the law.
-
Vital interests – Processing is necessary to protect someone’s life.
-
Public task – Processing is necessary for a task carried out in the public interest or in the exercise of official authority.
-
Legitimate interests – Processing is necessary for the legitimate interests pursued by the controller or a third party, except where overridden by the rights of the data subject.
Each of these bases applies in different circumstances. Below we explore them one by one with real-world examples.
1. Consent – When People Agree to Data Processing
The most common and transparent lawful basis is consent. Under Article 6(1)(a), consent means a freely given, specific, informed, and unambiguous indication of the data subject’s wishes. In other words, people must clearly agree to the processing of their data.
Example 1: Email Marketing Subscription
When a user subscribes to a company’s newsletter, they typically tick a checkbox that says something like, “I agree to receive promotional emails.” That explicit action demonstrates consent. The business then lawfully processes the person’s email address for marketing purposes.
Example 2: Online Surveys or Contests
If a company conducts a survey or a competition and asks participants to provide personal data (name, email, preferences), it can only use this information for the stated purpose if the user consents. For example, “By entering this contest, you agree to the processing of your data for prize delivery.”
Example 3: Use of Cookies and Tracking Tools
Websites often request consent before setting cookies or using analytics tools like Google Analytics. A cookie banner asking users to “Accept all cookies” is a form of consent request — and users can withdraw that consent anytime.
Why Consent Is Sensitive
Consent must always be voluntary and revocable. If withdrawing consent harms the user (for instance, by denying access to essential services), it’s not considered valid consent under the GDPR.
2. Contract – Necessary to Fulfill an Agreement
The second lawful basis under Article 6(1)(b) covers data processing that is necessary for the performance of a contract or to take steps before entering a contract.
Example 1: Online Shopping
When a customer purchases a product from an online store, the retailer needs to process the buyer’s personal data (name, delivery address, payment details) to deliver the order. This is lawful because the processing is contractually necessary — it enables the seller to fulfill the purchase contract.
Example 2: Employment Contracts
An employer must collect certain data from employees, such as bank account information to pay salaries, tax numbers, and emergency contacts. All this data is processed under the contractual basis because it’s essential for performing the employment agreement.
Example 3: Service Subscriptions
If you sign up for a streaming service like Netflix, your account details, payment data, and viewing history are processed as part of the contract. Without such processing, the service could not function or deliver what you paid for.
Key Principle
This basis applies only when processing is truly necessary for the contract. If a business collects extra data that isn’t essential for performing the contract, that data needs another lawful basis (e.g., consent or legitimate interest).
3. Legal Obligation – When the Law Requires It
Article 6(1)(c) allows processing when it is necessary to comply with a legal obligation imposed on the controller. This covers obligations under EU or member-state law.
Example 1: Financial Record Keeping
A company must retain invoices and accounting records for several years to comply with tax laws. Even if a customer requests deletion of their data, the company can lawfully keep those records because it has a legal obligation to do so.
Example 2: Employment and Labor Regulations
Employers must process certain employee data to comply with national labor laws — for instance, reporting to social security or paying taxes. These actions are legally mandated, so no consent is required.
Example 3: Health and Safety Regulations
Hospitals or clinics must maintain medical records for legal reasons. Even if a patient later withdraws consent for other data uses, the healthcare provider still must store certain information to satisfy statutory duties.
Important Note
Organizations must clearly identify which law creates the obligation. Saying “we do this for compliance reasons” isn’t enough; they must cite or refer to the specific regulation or statutory duty.
4. Vital Interests – Protecting Someone’s Life
Under Article 6(1)(d), processing is lawful if it is necessary to protect someone’s vital interests, typically in emergencies where life or health is at risk.
Example 1: Medical Emergencies
Imagine an unconscious patient arriving at a hospital. Doctors can process the patient’s health information without consent to save their life. The lawful basis is the vital interests of the patient.
Example 2: Disaster Response
Emergency services may share personal data during natural disasters — such as names and contact details of affected individuals — to coordinate rescue efforts or notify families. Again, this is justified by vital interests.
Example 3: Public Health Situations
During epidemics, certain medical data might be processed to track infection chains or ensure rapid response when a person’s life is at stake. The data must be limited strictly to what’s necessary to protect individuals.
Key Limitation
Vital interests apply only in exceptional, life-threatening circumstances. It cannot justify ordinary business or administrative data uses.
5. Public Task – Acting in the Public Interest or Under Official Authority
Article 6(1)(e) applies when processing is necessary for a task carried out in the public interest or when exercising official authority. This usually involves government bodies or entities entrusted with public duties.
Example 1: National Statistics Agencies
Statistical offices process vast amounts of personal data to conduct censuses or economic surveys. The purpose is to serve the public interest — not to market or profit — so the lawful basis is the public task.
Example 2: Local Authorities
Municipalities that maintain records of residents, issue permits, or manage social services process personal data under their official authority. The processing is not based on consent but on their legal role.
Example 3: Universities and Research Institutions
Public universities may process data of students or participants for research that serves societal development. If such projects are carried out under an official mandate or funded by the state, Article 6(1)(e) applies.
Why Public Task Differs from Legal Obligation
While both rely on legal frameworks, “public task” relates to functions of public interest, whereas “legal obligation” concerns specific legal requirements. For example, issuing ID cards is a public task, while paying tax on staff salaries is a legal obligation.
6. Legitimate Interests – Balancing Business Needs and Privacy
Perhaps the most flexible and widely used basis is legitimate interests under Article 6(1)(f). It allows processing when it is necessary for the legitimate interests of the controller or a third party, provided these interests are not overridden by the individual’s rights or freedoms.
Example 1: Fraud Prevention
Banks and online marketplaces often monitor transactions to detect suspicious activity. This processing protects both the business and its customers from fraud — a clear legitimate interest.
Example 2: Direct Marketing
Companies can sometimes rely on legitimate interests for marketing to existing customers, as long as it’s proportionate and expected. For example, a store that sends product recommendations to its current buyers may rely on this basis instead of explicit consent.
Example 3: Internal Security and Network Monitoring
Organizations may log employee access to IT systems or monitor network activity to ensure cybersecurity. This processing serves a legitimate interest — protecting corporate data and assets — provided it doesn’t unduly intrude on employees’ privacy.
Example 4: CCTV in Business Premises
Installing CCTV cameras for preventing theft or ensuring safety can be justified under legitimate interests. However, businesses must perform a balancing test — evaluating whether their interest outweighs the data subject’s right to privacy.
Key Responsibility: The Balancing Test
Before relying on legitimate interests, organizations must conduct a legitimate interest assessment (LIA). This involves three questions:
-
Purpose test – Is there a genuine legitimate interest?
-
Necessity test – Is processing necessary to achieve it?
-
Balancing test – Do the individual’s rights override the interest?
Only if all three are satisfied is the processing lawful under Article 6(1)(f).
How Organizations Choose the Right Lawful Basis
The choice of lawful basis determines how data subjects’ rights apply. For instance, if processing is based on consent, people can withdraw it anytime. But if processing relies on legal obligation, the organization cannot erase the data upon request if it must keep it by law.
Example of Choosing a Basis in Practice
A mobile app collects user data for three reasons:
-
To manage the user’s subscription (contractual basis).
-
To send promotional offers (consent).
-
To prevent fraud and account abuse (legitimate interests).
Each purpose has its own lawful basis, and the company must document these choices and communicate them in its privacy notice. Transparency is essential.
Documentation and Accountability
Under the GDPR’s accountability principle (Article 5(2)), organizations must document their lawful bases and be able to demonstrate compliance. This involves:
-
Keeping records of processing activities.
-
Performing Data Protection Impact Assessments (DPIAs) when required.
-
Informing individuals in privacy notices about the lawful basis used.
-
Updating records if the purpose or legal basis changes.
Failure to identify or justify a lawful basis can result in significant fines. Regulators often ask, “On what lawful basis did you process this data?” — and the answer must be clear and evidence-based.
Why Article 6 Matters in Practice
Article 6 is the cornerstone of GDPR compliance. Every data-driven action — from sending a marketing email to storing employee records — must rest on one of these six foundations. Without a lawful basis, the processing is automatically unlawful, no matter how small or harmless it might seem.
For businesses, choosing the right basis isn’t only about avoiding fines. It builds trust. Customers, employees, and partners want to know that their data is used responsibly, transparently, and with respect for their rights.
Conclusion
Article 6 of the GDPR provides a clear legal framework for data processing through its six lawful bases: consent, contract, legal obligation, vital interests, public task, and legitimate interests.
Each serves a different purpose — from emergency healthcare to online marketing — and choosing the correct one depends on context and necessity. Real-world examples show how these bases apply across industries: e-commerce, finance, healthcare, public administration, and beyond.
Ultimately, lawfulness of processing isn’t just a compliance requirement; it’s the ethical foundation of modern data use. Organizations that correctly apply Article 6 demonstrate not only regulatory diligence but also respect for the privacy and autonomy of every individual whose data they handle.