Art. 6 critical Severity GDPR European Union

GDPR Article 6 — Lawfulness of processing

Enforced by: ICO (UK) / National DPAs
Current as of May 25, 2018
Plain Language Summary
Six legal bases for processing: consent, contract, legal obligation, vital interests, public task, legitimate interests. Must identify your basis BEFORE processing.

Processing shall be lawful only if and to the extent that at least one of the following applies:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is party;

(c) processing is necessary for compliance with a legal obligation to which the controller is subject;

(d) processing is necessary in order to protect the vital interests of the data subject;

(e) processing is necessary for the performance of a task carried out in the public interest;

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights of the data subject.

Related Enforcement Cases

British Airways — GDPR Data Breach Fine (£20M) £20M
Marriott International — GDPR Fine (£18.4M) £18.4M