How to Demonstrate Compliance With GDPR Article 6

Lawfulness of Processing

Book a demo

people,working,in,modern,office.,group,of,young,programmers,sitting

GDPR Article 6 outlines the basic lawful principles that prohibits all processing of personal data unless it is based on specific legal stipulations.

GDPR Article 6 Legal Text

EU GDPR Version

Lawfulness of Processing

  1. Processing shall be lawful only if and to the extent that at least one of the following applies:
    • (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
    • (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
    • (c) processing is necessary for compliance with a legal obligation to which the controller is subject;
    • (d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
    • (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
    • (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

      Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.

  2. Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation with regard to processing for compliance with points (c) and (e) of paragraph 1 by determining more precisely specific requirements for the processing and other measures to ensure lawful and fair processing including for other specific processing situations as provided for in Chapter IX.
  3. The basis for the processing referred to in point (c) and (e) of paragraph 1 shall be laid down by:
    • (a) Union law; or
    • (b) Member State law to which the controller is subject.
    • The purpose of the processing shall be determined in that legal basis or, as regards the processing referred to in point (e) of paragraph 1, shall be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. That legal basis may contain specific provisions to adapt the application of rules of this Regulation, inter alia: the general conditions governing the lawfulness of processing by the controller; the types of data which are subject to the processing; the data subjects concerned; the entities to, and the purposes for which, the personal data may be disclosed; the purpose limitation; storage periods; and processing operations and processing procedures, including measures to ensure lawful and fair processing such as those for other specific processing situations as provided for in Chapter IX. The Union or the Member State law shall meet an objective of public interest and be proportionate to the legitimate aim pursued.

  4. Where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject’s consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1), the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia:
    • (a) any link between the purposes for which the personal data have been collected and the purposes of the intended further processing;
    • (b) the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller;
    • (c) the nature of the personal data, in particular whether special categories of personal data are processed, pursuant to Article 9, or whether personal data related to criminal convictions and offences are processed, pursuant to Article 10;
    • (d) the possible consequences of the intended further processing for data subjects;
    • (e) the existence of appropriate safeguards, which may include encryption or pseudonymisation.

UK GDPR Version

Lawfulness of Processing

  1. Processing shall be lawful only if and to the extent that at least one of the following applies:
    • (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
    • (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
    • (c) processing is necessary for compliance with a legal obligation to which the controller is subject;
    • (d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
    • (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
    • (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

      Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.

      The basis for the processing referred to in point (c) and (e) of paragraph 1 shall be laid down by domestic law.

      The purpose of the processing shall be determined in that legal basis or, as regards the processing referred to in point (e) of paragraph 1, shall be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. That legal basis may contain specific provisions to adapt the application of rules of this Regulation, inter alia: the general conditions governing the lawfulness of processing by the controller; the types of data which are subject to the processing; the data subjects concerned; the entities to, and the purposes for which, the personal data may be disclosed; the purpose limitation; storage periods; and processing operations and processing procedures, including measures to ensure lawful and fair processing such as those for other specific processing situations as provided for in Chapter IX. The domestic law shall meet an objective of public interest and be proportionate to the legitimate aim pursued.

  2. Where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject’s consent or domestic law which constitutes a necessary and proportionate measure in a democratic society to safeguard [national security, defence or any of] the objectives referred to in Article 23(1), the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia:
    • (a) any link between the purposes for which the personal data have been collected and the purposes of the intended further processing;
    • (b) the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller;
    • (c) the nature of the personal data, in particular whether special categories of personal data are processed, pursuant to Article 9, or whether personal data related to criminal convictions and offences are processed, pursuant to Article 10;
    • (d) the possible consequences of the intended further processing for data subjects;
    • (e) the existence of appropriate safeguards, which may include encryption or pseudonymisation.

We’re cost-effective and quick

Discover how that will boost your ROI
Get your quote

Technical Commentary

GDPR Article 6 outlines 7 factors that contribute towards what it defines as a ‘lawful basis for processing’:

  1. Consent.
  2. The existence of a valid contract.
  3. The conditions necessary for the performance of the contract.
  4. A legal obligation to collect, store and process personal data.
  5. A scenario that’s necessary to protect the vital interests of a data subject/natural person.
  6. An obvious public interest.
  7. A legitimate interest in performing a certain processing operation.

ISO 27701 Clause 7.2.2 (Identify Lawful Basis) and EU GDPR Article 6

In this section we talk about GDPR Articles 6 (1)(a), 6 (1)(b), 6 (1)(c), 6 (1)(d), 6 (1)(e), 6 (1)(f), 6 (2), 6 (3), 6 (4)(a), 6 (4)(b), 6 (4)(c), 6 (4)(d) and 6 (4)(e)

Depending on the jurisdiction, organisations may have to prove that their PII processing activities are lawful before they begin.

To form a legal basis for processing PII, organisations should:

  • Seek consent from PII principals.
  • Draft a contract.
  • Comply with various other legal obligations.
  • Protect the ‘vital interests’ of the various PII principals.
  • Ensure that the tasks being performed are in the public interest.
  • Confirm that PII processing is a legitimate interest.

For every point mentioned above, organisations should be able to offer documented confirmation.

Organisations also need to consider any ‘special categories’ of PII that relate to their organisation in their data classification scheme (see ISO 27701 Clause 7.2.8) (classifications may vary from region to region).

If organisations experience any changes to their underlying reasons for processing PII, this should be immediately reflected in their documented legal basis.

Supporting ISO 27701 Clauses

  • ISO 27701 7.2.8

ISO 27701 Clause 7.4.5 (PII De-identification and Deletion at the End of Processing) and EU GDPR Article 6

In this section we talk about GDPR Article 6 (4)(e)

Organisations either need to completely destroy any PII that no longer fulfils a purpose, or modify it in a way that prevents any form of principal identification.

As soon as the organisation established that the PII doesn’t need to be processed at any time in the future, the information should be deleted or de-identified, as the circumstances dictate.

Index of Linked EU GDPR Articles and ISO 27701 Clauses

GDPR ArticleISO 27701 ClauseISO 27701 Supporting Clauses
EU GDPR Articles 6 (1)(a) to 6 (4)(e)ISO 27701 7.2.2ISO 27701 7.2.8
EU GDPR Article 6 (4)(e)ISO 27701 7.4.5None

How ISMS.online Help

The ISMS.online platform includes built-in guidance at each step, combined with our ‘Adopt, Adapt, Add’ implementation approach, so demonstrating your GDPR compliance is significantly easier. You will also benefit from a range of powerful time-saving features.

By mapping your work across multiple standards and frameworks, our intuitive platform makes it easy to accomplish multiple information security and data privacy goals.

If for any reason you experience a lack of confidence, ability or the drive to take action during your journey to GDPR, we can make our team of in-house experts available or recommend one of our trusted partners to give your efforts a boost.

Find out more by booking a short demo.

Discover our platform

Book a tailored hands-on session
based on your needs and goals
Book your demo

Trusted by companies everywhere
  • Simple and easy to use
  • Designed for ISO 27001 success
  • Saves you time and money
Book your demo
img

Explore ISMS.online's platform with a self-guided tour - Start Now