Table of Contents
Understanding Article 6 of GDPR
Article 6 of GDPR considers the lawfulness of processing activities of personal data and outlines the type of processing activities that are considered to be lawful under the regulation.
Lawful processing (Article 6(1) GDPR)
The lawful activities under Article 6 are:
- When consent is obtained for a specific purpose
- Processing is necessary for the performance of a contract with the data subject
- Processing is necessary to take steps to enter into a contract
- For compliance with a legal obligation
- To protect the vital interests of the data subject or of another person
- When it’s necessary for the interest of the public
- When required by an official authority vested in the controller
- When it’s necessary for the legitimate interest of the controller or a third party except if the data subject’s fundamental rights and freedoms override such interests
Power of the Member States (Article 6(2) GDPR)
GDPR gives each Europen country or member state to adopt more specific measures and requirements with regards to data processing activities required to respect a legal obligation or for the best interest of the public to ensure data processing remains lawful and fair.
Legal basis when Member States adopt specific laws (Article 6(3) GDPR)
Should a member state wish to adopt specific laws in relation to the data processing required its domestic law or the interest of the public, it must make sure that the legal basis remains under its own domestic law or the laws of the European Union.
Data processing for other purposes (Article 6(4) GDPR)
If the data controller intends to process personal data for reasons other than the purpose the personal data was initially collected and there are no legal basis in its domestic laws or that of the Europen Union, it must consider if the new processing remains compatible with the initial purpose by considering the following:
- The link between the initial purpose and new purpose
- The context in which the personal data was collected
- The nature of the personal data collected
- The possible consequences or impact on the data subject
- The type of safeguards in place such as data encryption or pseudonymisation
Recitals applicable to Article 6 of GDPR
Relevant Recitals: 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 171
GDPR Regulation article-by-article overview
Read our comprehensive overview of the GDPR Regulation, article by article, where we summarize each of the 99 articles contained in GDPR to give you a complete understanding of its content.
Cited Legislation
GDPR Text: Article 6 of GDPR and Relevant Recitals
GDPR Text Source: EUR-Lex
Official GDPR Text: General Data Protection Regulation
Official GDPR Title: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), corrected by Corrigendum, OJL 127, 23.5.2018, p. 2 ((EU) 2016/679)