EU GDPR Art 6 – Global Relay Intelligence & Practice

EU GDPR Art 6

Sets out the lawful bases on which personal data can be processed. The lawful basis must be determined and documented before processing of the personal data begins.

Rule Overview

Jurisdiction: European Union

Regulator: ESMA

Topic: Data Protection

Overview

Rules in This Collection

Notable

Latest News

Further Reading

Processing of personal data is lawful for the following reasons only:

subject has given consent;
contractual necessity;
legal necessity;
protection of a person’s vital interests;
public interest; and
legitimate interest except where overridden by fundamental rights.

The last point does not apply to public authorities performing their tasks.

Where processing is not based on consent or legal sanction the controller needs to take into account:

link(s) between original collection purpose and intended further processing purpose(s);
context of original collection (relationship between subject and controller);
nature of the data;
possible consequences of intended further processing; and
existence of appropriate safeguards.

Rules in This Collection

EU GDPR Art 6 This Rule

Notable

CJEU makes landmark decision in Meta vs Bundeskartellamt

Privacy

CJEU makes landmark decision in Meta vs Bundeskartellamt

July 27, 2023

Judgment allows GDPR scrutiny through antitrust regulators and imposes limitations on personalized use of consumers’ personal data.

Verena Grentzenberg | DLA Piper, Philipp Schmechel | DLA Piper, Dr. Jonas Kranz | DLA Piper12 min read

Norwegian Data Protection Authority wins against Meta in court

Privacy

Norwegian Data Protection Authority wins against Meta in court

September 8, 2023

The Norwegian authority has put a temporary ban on the social media giant after its illegal behaviour-based marketing.

Martina Lindberg1 min read

Using data protection to counter bias in generative AI

AI

Using data protection to counter bias in generative AI

October 5, 2023

Practical steps to mitigate against bias and hallucinations when using and developing AI models.

Kirsten Ammon | Fieldfisher5 min read

Privacy

CJEU makes landmark decision in Meta vs Bundeskartellamt

Privacy

Norwegian Data Protection Authority wins against Meta in court

AI

Using data protection to counter bias in generative AI

Latest News More on EU GDPR

Privacy

DeepSeek and personal data transfers to China

February 14, 2025

DeepSeek may disrupt laws on data protection and transfers on both sides of the Atlantic, as well as disrupting US markets.

Alice Wallbank | Shoosmiths, Sherif Malak | Shoosmiths, Adam Fox | Shoosmiths4 min read
Enforcement

Rise in sanctions and compliance orders by CNIL in 2024

February 14, 2025

The Commission nationale de l'informatique et des libertés issued 45 more sanctions in 2024 than in 2023.

Martina Lindberg2 min read
Data

European GDPR fines down 33% in 2024, but enforcement 'remains dynamic'

February 6, 2025

The Irish Data Protection Commission continues to take the lead on GDPR fines in Europe.

Martina Lindberg4 min read
Privacy

The GDPR needs to be reviewed, states Swedish Privacy Protection Authority

January 30, 2025

IMY argues that the regulation risks losing legitimacy if it is not refined.

Martina Lindberg1 min read
AI

EDPB opinion on AI models and use of personal data

January 21, 2025

The opinion considers anonymity, legitimate interest and deploying an AI model with unlawfully processed personal data.

Jean Hurley2 min read
Privacy

DSARs: How to understand your obligations beyond data

December 13, 2024

UK and EU courts are increasingly saying that it's not enough to point to a privacy notice to satisfy the extra GDPR requirements.

Alice Wallbank | Shoosmiths, Sherif Malak | Shoosmiths, Adam Fox | Shoosmiths5 min read
Privacy

Finnish DPO fines Posti €2.4m for GDPR violations with electronic mailbox

November 25, 2024

The company allegedly illegally processed customer data when creating a new electronic mailbox for two million customers that haven't requested the service.

Martina Lindberg2 min read
Data

GDPR: When can data controllers rely on ‘legitimate interests’ to conduct data processing?

October 23, 2024

New guidelines from the EDPB on the processing of personal data.

Dr. Axel Spies | Morgan Lewis2 min read

Further Reading

ICO guide to lawful basis