The Six Lawful Bases (Article 6)

Lawfulness is the first principle, and Article 6 is where it lives. The rule is simple to state and central to everything: processing is lawful only if at least one of six bases in Article 6(1) applies. You must identify your basis before you process, and you generally cannot swap to a different one later just because the first failed.

And remember, if the data is special-category under Article 9, you need both an Article 6 basis and a separate Article 9 condition. The exam tests this constantly by giving you a scenario and asking which basis fits, or whether the basis the organisation chose was the right one. So let's take all six.

The first two bases. Article 6(1)(a) is consent, where the data subject has agreed to the processing; we will spend the next lecture on what makes consent valid, because the bar is high and it is easy to get wrong. Article 6(1)(b) is contractual necessity, where processing is necessary for the performance of a contract with the data subject, or to take steps at their request before entering one, like processing an address to ship an order they placed.

The word necessary is strict: the processing must be genuinely required to deliver the contract, not just helpful or commercially convenient. The EDPB has stressed, for example, that behavioural advertising is generally not necessary to perform a basic online-service contract. Many organisations over-rely on consent when contract would be cleaner; the exam tests that judgment.

The middle three bases. Article 6(1)(c), legal obligation, covers processing necessary to comply with a legal obligation the controller is under, for example retaining transaction records for tax or anti-money-laundering law. Article 6(1)(d), vital interests, covers processing necessary to protect someone's life, a narrow basis really meant for emergencies where the person cannot consent, such as passing medical data to treat an unconscious patient.

Article 6(1)(e), public task, covers processing necessary to perform a task carried out in the public interest or in the exercise of official authority, the basis public bodies typically rely on. A key exam point: where one of these applies, you do not also need consent, and asking for consent you cannot honour would actually be misleading.

Article 6(1)(f), legitimate interests, is the most flexible basis and the most examined. Processing is lawful if it is necessary for the legitimate interests of the controller or a third party, except where those interests are overridden by the interests or fundamental rights of the data subject. That exception means you must run a three-part test, often called a legitimate interests assessment.

First, the purpose test: is there a genuine legitimate interest, such as fraud prevention, network security, or direct marketing? Second, the necessity test: is the processing actually necessary to achieve it, or is there a less intrusive way? Third, the balancing test: do the individual's interests, rights, and reasonable expectations override the interest?

If they do, you cannot rely on this basis. Note one limit: public authorities generally cannot use legitimate interests for their public tasks.

Putting it together, the exam wants you to choose the most appropriate basis for a given purpose, not just any basis that technically fits. If the law requires the processing, use legal obligation, not consent. If it is core to delivering the service the person asked for, use contract.

If it is something the person would reasonably expect and that passes the balancing test, legitimate interests may fit. Reserve consent for processing that is genuinely optional and where you can honour a withdrawal. Document your choice, because accountability requires you to justify it.

And never forget the second key for sensitive data: special-category processing needs an Article 9 condition on top of your Article 6 basis. Picking the cleanest basis is a skill the exam rewards repeatedly.

Let's lock in Article 6. The six lawful bases are consent, contractual necessity, legal obligation, vital interests, public task, and legitimate interests. The word necessary runs through five of them and is interpreted strictly.

Legitimate interests is the most flexible but demands a three-part assessment, purpose, necessity, and balancing, and public authorities cannot use it for their public tasks. You must pick the most appropriate basis for the real reason behind the processing, document it, and add an Article 9 condition for special-category data. Next, we go deep on the basis everyone gets wrong, consent, and on the Article 9 conditions for sensitive data.

First, go test yourself on the six lawful bases.