Module 4 · The six Article 6 lawful bases

Processing personal data needs a lawful basis. Article 6 offers six, and only one is needed: consent, contract, legal obligation, vital interests, public interest/official authority, and legitimate interests. Each has its own triggers and traps - especially that public authorities may not rely on legitimate interests.

The six Article 6 lawful bases
Basis	Trigger / keyword	Watch out
Consent	Clear consent for a specific purpose	Must be as easy to withdraw as to give
Contract	A customer purchasing a good or service; or pre-contractual steps at their request	Only covers what is necessary for the contract
Legal obligation	EU/Member State law requires the processing	Interpreted narrowly; not contracts, not third-country laws
Vital interests	Protect the life of the data subject or another natural person	Reserved for genuine life-or-death situations
Public interest / official authority	A task defined by Member State law (justice, tax, census/research)	Needs a legal basis defining the task
Legitimate interests	Interests of the controller or a third party	Unless overridden by the data subject; public authorities may NOT rely on it

The six Article 6 lawful bases

Basis

Trigger / keyword

Watch out

Consent

Clear consent for a specific purpose

Must be as easy to withdraw as to give

Contract

A customer purchasing a good or service; or pre-contractual steps at their request

Only covers what is necessary for the contract

Legal obligation

EU/Member State law requires the processing

Interpreted narrowly; not contracts, not third-country laws

Vital interests

Protect the life of the data subject or another natural person

Reserved for genuine life-or-death situations

Public interest / official authority

A task defined by Member State law (justice, tax, census/research)

Needs a legal basis defining the task

Legitimate interests

Interests of the controller or a third party

Unless overridden by the data subject; public authorities may NOT rely on it

For goods and services, look first to contract (the keyword is a customer purchasing). Legal obligation is read narrowly - it must flow from EU or Member State law, never from a private contract or a third country's law.

Key terms - quick answers

What is “Consent”?

Freely given, specific, informed, unambiguous agreement to processing for a specific purpose; must be as easy to withdraw as to give.

What is “Contract”?

Processing necessary to perform a contract with the data subject, or to take pre-contractual steps at their request.

What is “Legal obligation”?

Processing necessary to comply with an EU or Member State legal obligation; interpreted narrowly.

What is “Vital interests”?

Processing necessary to protect the life of the data subject or another natural person.