Article 6 EU GDPR: lawfulness of processing

  1. Processing is lawful only if at least one of the following conditions is met:
    1. The data subject has given their consent to the processing of their personal data for one or more specific purposes;
    2. the processing is necessary for the performance of a contract to which the data subject is party or for the implementation of pre-contractual measures at the request of the data subject;
    3. the processing is necessary for compliance with a legal obligation to which the controller is subject;
    4. the processing is necessary to protect vital interests of the data subject or another natural person;
    5. the processing is necessary for the performance of a task that is in the public interest or in the exercise of official authority that has been assigned to the person responsible;
    6. processing is necessary to safeguard the legitimate interests of the person responsible or a third party, unless the interests or fundamental rights and freedoms of the data subject that require the protection of personal data prevail, in particular if the data subject is a child .
  2. Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their duties.
  3. Member States may maintain or introduce more specific provisions adapting the application of the rules of this Regulation in relation to processing to comply with points (c) and (e) of paragraph 1 by specifying specific requirements for processing and other measures to ensure a lawful and fair and belief, including for other special processing situations in accordance with Chapter IX.
  4. The legal basis for the processing pursuant to paragraph 1 letters c and e is determined by
    1. Union law or
    2. the law of the Member States to which the controller is subject.
  5. The purpose of the processing must be specified in this legal basis or, with regard to the processing referred to in paragraph 1 letter e, be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. This legal basis may contain specific provisions adjusting the application of the provisions of this Regulation, including provisions on which general conditions apply to regulate the lawfulness of processing by the controller, what types of data are processed, which subjects are concerned, to which entities and for what purposes the personal data may be disclosed, the purpose limitations, how long they may be stored and what processing operations and procedures may be used, including measures to ensure lawful and fair processing, such as those for others special processing situations according to Chapter IX. Union law or the law of the Member States must pursue an objective in the public interest and be proportionate to the legitimate aim pursued.
  6. If the processing for a purpose other than that for which the personal data was collected is not based on the consent of the data subject or on a legal provision of the Union or of the Member States which, in a democratic society, requires a necessary and proportionate measure to protect the In order to determine whether the processing for another purpose is compatible with the one for which the personal data were originally collected, the controller shall take into account, among other things, the objectives referred to in Article 23(1).
    1. any link between the purposes for which the personal data were collected and the purposes of the intended further processing,
    2. the context in which the personal data was collected, in particular with regard to the relationship between the data subject and the person responsible,
    3. the nature of the personal data, in particular whether special categories of personal data are processed in accordance with Article 9 or whether personal data relating to criminal convictions and offenses are processed in accordance with Article 10,
    4. the possible consequences of the intended further processing for the persons concerned,
    5. the existence of appropriate safeguards, which may include encryption or pseudonymisation.