EU GDPR Art 6 – Global Relay Intelligence & Practice

EU GDPR Art 6

Sets out the lawful bases on which personal data can be processed. The lawful basis must be determined and documented before processing of the personal data begins.

Rule Overview

Jurisdiction: European Union

Regulator: ESMA

Topic: Data Protection

Overview

Rules in This Collection

Notable

Latest News

Further Reading

Processing of personal data is lawful for the following reasons only:

subject has given consent;
contractual necessity;
legal necessity;
protection of a person’s vital interests;
public interest; and
legitimate interest except where overridden by fundamental rights.

The last point does not apply to public authorities performing their tasks.

Where processing is not based on consent or legal sanction the controller needs to take into account:

link(s) between original collection purpose and intended further processing purpose(s);
context of original collection (relationship between subject and controller);
nature of the data;
possible consequences of intended further processing; and
existence of appropriate safeguards.

Rules in This Collection

EU GDPR Art 6 This Rule

Notable

CJEU makes landmark decision in Meta vs Bundeskartellamt

Privacy

CJEU makes landmark decision in Meta vs Bundeskartellamt

July 27, 2023

Judgment allows GDPR scrutiny through antitrust regulators and imposes limitations on personalized use of consumers’ personal data.

Verena Grentzenberg | DLA Piper, Philipp Schmechel | DLA Piper, Dr. Jonas Kranz | DLA Piper12 min read

Norwegian Data Protection Authority wins against Meta in court

Privacy

Norwegian Data Protection Authority wins against Meta in court

September 8, 2023

The Norwegian authority has put a temporary ban on the social media giant after its illegal behaviour-based marketing.

Martina Lindberg1 min read

Using data protection to counter bias in generative AI

AI

Using data protection to counter bias in generative AI

October 5, 2023

Practical steps to mitigate against bias and hallucinations when using and developing AI models.

Kirsten Ammon | Fieldfisher5 min read

Privacy

CJEU makes landmark decision in Meta vs Bundeskartellamt

Privacy

Norwegian Data Protection Authority wins against Meta in court

AI

Using data protection to counter bias in generative AI

Latest News More on EU GDPR

Security

Celito Tech's Ravi Monangi and Ethan Grammer on compliant growth in life science

March 24, 2025

We explored how small and mid-sized pharmaceutical and biotech companies can avoid costly early compliance mistakes and minimize risk as they scale.

Alexander Barzacanos7 min read
Privacy

GRIP Q&A: Tyler Thompson of Reed Smith on AI data privacy

March 19, 2025

Ahead of his talk at the AI Governance & Strategy Summit in Seattle, Tyler Thompson spoke to GRIP about AI strategy and future developments.

Jean Hurley5 min read
Data

Telenor fined NKr 4m for DPO scheme and internal controls failures

March 19, 2025

Datatilsynet in Norway found that Telenor contravened EU GDPR with multiple failures.

Martina Lindberg<1 min read
Conferences and events

Experts discuss collaboration on AI regulation and the value of data

March 18, 2025

The last of our reports from this year's Data Insights x Shoosmiths conference.

Jean Hurley, Martina Lindberg4 min read
Privacy

DeepSeek and personal data transfers to China

February 14, 2025

DeepSeek may disrupt laws on data protection and transfers on both sides of the Atlantic, as well as disrupting US markets.

Alice Wallbank | Shoosmiths, Sherif Malak | Shoosmiths, Adam Fox | Shoosmiths4 min read
Enforcement

Rise in sanctions and compliance orders by CNIL in 2024

February 14, 2025

The Commission nationale de l'informatique et des libertés issued 45 more sanctions in 2024 than in 2023.

Martina Lindberg2 min read
Data

European GDPR fines down 33% in 2024, but enforcement 'remains dynamic'

February 6, 2025

The Irish Data Protection Commission continues to take the lead on GDPR fines in Europe.

Martina Lindberg4 min read
Privacy

The GDPR needs to be reviewed, states Swedish Privacy Protection Authority

January 30, 2025

IMY argues that the regulation risks losing legitimacy if it is not refined.

Martina Lindberg1 min read

Further Reading

ICO guide to lawful basis