Lawful Basis

This topic is essential as Article 6 GDPR provides the specific legal bases that determine whether processing is lawful, which is the core requirement of the 'Lawfulness of processing' content.

lawful basis legal basis Article 6 GDPR grounds for processing consent contract legal obligation vital interests

Overview

23 sources · Feb 20, 2026

Legal Framework

Article 6(1) GDPR provides the exclusive catalogue of lawful bases for processing, encompassing consent (Article 6(1)(a)), performance of contract (Article 6(1)(b)), compliance with legal obligation (Article 6(1)(c)), vital interests (Article 6(1)(d)), public task or official authority (Article 6(1)(e)), and legitimate interests (Article 6(1)(f)). Doctrinal analysis confirms that while the material conditions for lawfulness remain substantially aligned with predecessor legislation, a critical structural change affects public authorities: they are now precluded from relying on legitimate interest when processing personal data in performance of their public tasks. Such processing must instead find basis in Article 6(1)(e) or another applicable provision.

Recital 40 reinforces that processing requires either consent or another legitimate basis laid down by law. However, the 173 recitals function solely as interpretive instruments revealing legislative history; where irreconcilable conflicts arise between recitals and operative text, the articles prevail. Regarding employment contexts, Article 88 GDPR authorizes Member States or social partners to establish specific rules through collective agreements, particularly modifying the conditions for valid employee consent. For international transfers, Articles 45 and 46 GDPR mandate that the protection level—notably the fundamental rights under Articles 7, 8, and 47 of the EU Charter—must not be undermined, requiring continuous Commission monitoring of adequacy decisions with mandatory four-year reviews.

Key Developments

Data Protection Commissioner v. Facebook Ireland and Schrems (C-311/18, "Schrems II") established that national supervisory authorities retain independent competence to suspend transfers where standard contractual clauses prove insufficient against third-country public authority access. The judgment requires organizations to implement supplementary measures beyond standard clauses when necessary to preserve the Charter's guaranteed protection levels.

Fashion ID (C-40/17) clarified that transparency obligations under Articles 13 and 14 GDPR apply only to processing operations where the entity actually determines purposes and means, and must be fulfilled immediately upon data collection. Recent enforcement by the Lithuanian (VDAI) and Spanish (AEPD) data protection authorities in February 2026 indicates heightened scrutiny of basis selection, particularly challenging public sector reliance on inappropriate grounds.

Practical Guidance

Public Sector Exclusion: Public authorities must audit all public task processing to ensure reliance on Article 6(1)(e) rather than Article 6(1)(f), explicitly excluding legitimate interest for governmental functions.
Source Hierarchy: In interpretive analysis, prioritize the operative text of Article 6 over Recitals 40, 68, or 111; deploy recitals only as subordinate aids where the primary text permits ambiguity.
Employment Consent Verification: Before processing employee data on consent grounds, confirm whether Article 88 GDPR implementations or applicable collective agreements impose specific procedural requirements or validity restrictions.
Targeted Transparency: Provide Article 13/14 information immediately at collection, strictly limited to processing operations where your organization exercises actual control over purposes and means.
Transfer Impact Assessment: Conduct systematic assessments of whether standard contractual clauses adequately protect against third-country public authority interference, supplementing with additional technical or contractual measures where Schrems II indicates Charter rights might otherwise be compromised.

Newest Relevant

Laws (83)

View all 83

Artikel 54

Citeertitel wet

May 16, 2018 UAVG

Artikel 5

Toestemming van wettelijk vertegenwoordiger

May 16, 2018 UAVG

Artikel 6

Oprichting en aanwijzing als toezichthoudende autoriteit

May 16, 2018 UAVG

Artikel 7

Samenstelling

May 16, 2018 UAVG

Artikel 14

Taken en bevoegdheden

May 16, 2018 UAVG

Artikel 17

Boete bij onrechtmatige verwerking persoonsgegevens strafrechtelijke aard

May 16, 2018 UAVG

Artikel 53

Inwerkingtreding

May 16, 2018 UAVG

Artikel 48

Overgangsrecht

May 16, 2018 UAVG

Artikel 50

Evaluatie

May 16, 2018 UAVG

Artikel 51

Intrekking Wet bescherming persoonsgegevens

May 16, 2018 UAVG

Artikel 52

Citeertitel verordening

May 16, 2018 UAVG

Article 7

Conditions for consent

Apr 27, 2016 GDPR

Case Law (55)

View all 55

Raad van State - grondslag - 202004638/1/A3

Raad van State - Bestuursrecht

Bij besluit van 31 oktober 2018 heeft de minister van Landbouw, Natuur en Voedselkwaliteit het verzoek van de maatschap om haar gegevens niet door te geven aan de Brancheorganisatie Akkerbouw afgewezen. De minister heeft de maatschap gemeld dat haar naam, adresgegevens en zogenoemde KvK-nummer zullen worden doorgegeven aan de Brancheorganisatie Akkerbouw en dat de maatschap daartegen bezwaar kan maken op grond van de Algemene Verordening Gegevensverwerking. De minister wil deze gegevens van de m

Sep 22, 2021 Raad van State

Rechtbank Rotterdam - rechten van betrokkenen - C/10/613404 / HA ZA 21-150

Rechtbank Rotterdam - Civiel recht

Internationale zaak. Bevoegdheidsincident en incident ex artikel 843a en artikel 15 AVG. Eiseres is via gedaagde gaan beleggen in CfD-trading. In de hoofdzaak vordert eiseres (onder meer) een verklaring voor recht dat de overeenkomst is vernietigd, althans om deze te vernietigen, althans een verklaring voor recht dat gedaagde onrechtmatig heeft gehandeld; Eiseres stelt dat gedaagde door in strijd met het verbod van de AFM CfD’s aan te bieden met een leverage boven 1:30 onrechtmatig heeft gehande

Sep 8, 2021 Rechtbank Rotterdam

Rechtbank Rotterdam - recht op schadevergoeding en aansprakelijkheid - ROT 20/3286

Rechtbank Rotterdam - Bestuursrecht

Naar het oordeel van de rechtbank heeft verzoekster recht op toekenning van een vergoeding voor immateriële schade nu verweerder door het bewaren en verwerken van de rapporten met persoonlijke gegevens van verzoekster in strijd heeft gehandeld met de AVG en daardoor het recht op eerbiediging van de persoonlijke levenssfeer van verzoekster heeft geschonden. Ten aanzien van de hoogte van de vast te stellen schadevergoeding is van belang dat de privacygevoelige persoonsgegevens gedurende een period

Jul 12, 2021 Rechtbank Rotterdam

Rechtbank Midden-Nederland - grondslag - UTR 20/2315

Rechtbank Midden-Nederland - Bestuursrecht

VoetbalTV is een platform op internet waarop amateurvoetbalwedstrijden worden uitgezonden. Verweerder vindt dat eiseres voor het maken van opnames en het uitzenden van voetbalwedstrijden geen geldige grondslag heeft en zij verwerkt daarmee dus onrechtmatig persoonsgegevens. Volgens verweerder maakt eiseres door de opnames inbreuk op de privacy een groot aantal betrokkenen, onder wie veel minderjarige voetballers en rechtvaardigt dit een boete van € 575.000,-.Eiseres stelt dat het opnemen en uitz

Nov 23, 2020 Rechtbank Midden-Nederland

Data Protection Commissioner v. Facebook Ireland Ltd, and Maximillian Schrems

Schrems II

“[…] the standard data protection clauses adopted by the Commission on the basis of Article 46(2)(c) of the GDPR are solely intended to provide contractual guarantees that apply uniformly in all third countries to controllers and processors established in the European Union and, consequently, independently of the level of protection guaranteed in each third country. In so far as those standard data protection clauses cannot, having regard to their very nature, provide guarantees beyond a contrac

Jul 16, 2020 CJEU

Data Protection Commissioner v. Facebook Ireland Ltd, and Maximillian Schrems

Schrems II

“the national supervisory authorities are responsible for monitoring compliance with the EU rules concerning the protection of natural persons with regard to the processing of personal data. Each of those authorities is therefore vested with the power to check whether a transfer of personal data from its own Member State to a third country complies with the requirements laid down in that regulation” / “The exercise of that responsibility is of particular importance where personal data is tra

Jul 16, 2020 CJEU

Rechtbank Amsterdam - recht op schadevergoeding en aansprakelijkheid - C/13/677172 / HA RK 19-435

Rechtbank Amsterdam - Civiel recht

AVG rekest.Verzoek verwijdering persoonsgegevens en materiële en immateriële schadevergoeding ex art. 82 AVG ogv onrechtmatige verwerking persoonsgegevens.Geen belang meer bij verwijderingsverzoek wegens minnelijke regeling. Afwijzing schadevergoeding.

Apr 2, 2020 Rechtbank Amsterdam

BUNDESVERBAND DER VERBRAUCHERZENTRALEN UND VERBRAUCHERVERBANDE —BERBRAUCHERZENTRALE BUNDESVERBAND V. PLANET49 GmbH (“PLANET49”)

Planet49

The restrictions of Article 5(3) of the ePrivacy Directive apply to any information stored in a terminal equipment, regardless of whether or not it is persona. (¶70)

Oct 1, 2019 CJEU

BUNDESVERBAND DER VERBRAUCHERZENTRALEN UND VERBRAUCHERVERBANDE —BERBRAUCHERZENTRALE BUNDESVERBAND V. PLANET49 GmbH (“PLANET49”)

Planet49

Cookie data is personal data where the cookies likely to be placed on the terminal equipment of a user participating in the promotional lottery contained a number assigned to the registration data of that user (who must enter his/her name+address in the registration form.) By linking that number with that data, a connection between a person and the data stored by the cookies arises. Therefore, the data is not anonymous data. (¶45)

Oct 1, 2019 CJEU

BUNDESVERBAND DER VERBRAUCHERZENTRALEN UND VERBRAUCHERVERBANDE —BERBRAUCHERZENTRALE BUNDESVERBAND V. PLANET49 GmbH (“PLANET49”)

Planet49

Consent is “not validly constituted if the storage of information, or access to information already stored in an website user’s terminal equipment, is permitted by way of a checkbox pre-ticked by the service provider which the user must deselect to refuse his or her consent.” The indication of the data subject’s wishes must, inter alia, be ‘specific’ in the sense that “it must relate specifically to the processing of the data in question and cannot be inferred from an indication of the data subj

Oct 1, 2019 CJEU

FASHION ID GmbH & Co. KG v. VERBRAUCHERZENTRALE NRW eV

Fashion ID

ePrivacy Directive: The ECJ did not determine whether the Facebook “Like” button involves such storing or access subject to the ePrivacy Directive, but left it to the national court to make this assessment and determine whether such consent would be required under the e-Privacy rules. The ECJ did not state whether such consent should be obtained by the website operator, by the third-party plugin, or by both.

Jul 29, 2019 CJEU

FASHION ID GmbH & Co. KG v. VERBRAUCHERZENTRALE NRW eV

Fashion ID

Consent: It is the duty of the operator to obtain prior consent from the data subject. The consent given to the operator relates only to the operation or set of operations involving the processing of personal data in respect of which the operator actually determines the purposes and means. (¶¶100–102 and ¶106)

Jul 29, 2019 CJEU

FASHION ID GmbH & Co. KG v. VERBRAUCHERZENTRALE NRW eV

Fashion ID

Duty to inform: It is the duty of the operator to inform, but the information that must be provided to the data subject need “relate only to the operation or set of operations involving the processing of personal data in respect of which that operator actually determines the purposes and means”. The information must be given by the controller immediately, that is to say, when the data are collected. (¶¶100–101 and ¶¶103–106)

Jul 29, 2019 CJEU

SERGEJS BUIVIDS v. THE AUGSTĀKĀ TIESA

Buivids

Processing: A video recording of persons which is stored on a continuous recording device — the hard disk drive of that system — constitutes automatic processing of personal data (see, Ryneš). (¶34). Also, loading personal data onto an internet page constitutes processing since placing information on an internet page entails the operation of loading that page onto a server and the operations necessary to make that page accessible to people who are connected to the internet which are performed, a

Feb 14, 2019 CJEU

Peter Puškár v Finančné riaditeľstvo Slovenskej republiky and Kriminálny úrad finančnej správy

Puškár

Lawful Basis (Public Interest): Article 7(e) Directive 95/46 must be interpreted as not precluding the processing of personal data by the authorities of a Member State for the purpose of collecting tax and combating tax fraud such as that effected by drawing up the contested list in the main proceedings, without the consent of the data subjects, “provided that, first, those authorities were invested by the national legislation with tasks carried out in the public interest within the meaning of t

Sep 27, 2017 CJEU

Peter Puškár v Finančné riaditeľstvo Slovenskej republiky and Kriminálny úrad finančnej správy

Puškár

Admissibility of illegally obtained evidence: Article 47 of the Charter of Fundamental Rights of the EU precludes national court from rejecting, as evidence of an infringement of the protection of personal data, a list, such as the contested list, submitted by the data subject and containing personal data relating to him, “if that person had obtained that list without the consent, legally required, of the person responsible for processing that data, unless such rejection is laid down by national

Sep 27, 2017 CJEU

Peter Puškár v Finančné riaditeľstvo Slovenskej republiky and Kriminálny úrad finančnej správy

Puškár

Lawful basis (in general): Subject to the exceptions permitted under Article 13 of the Data Protection Directive, all processing of personal data must comply, first, with the principles relating to data quality (in Article 6 of that directive) and, have lawful basis (by complying with one criteria for making data processing legitimate listed in Article 7 of that directive) (see, Bara). The list of lawful basis in Article 7 is an exhaustive and restrictive list of cases in which the processing of

Sep 27, 2017 CJEU

Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde v Rīgas pašvaldības SIA ‘Rīgas satiksme’

Rigas

setting out a test based on three criteria to decide whether a processing operation can rely on this ground. The Court reached a surprising conclusion, stating that while there is legitimate interest to process (disclose) data in the case at hand, the controller (a public authority) would also need a legal obligation to lawfully disclose the data.

May 4, 2017 CJEU

Data Protection Commissioner v. Schrems and Facebook

Schrems I

Safe harbour: US public authorities are not required to comply with safe harbor principles. Decision 2000/520 specifies that safe harbor principles may be limited to the extent necessary to meet national security, public interest or law enforcement requirements, or statute, regulation or caselaw. Self-certified US organizations receiving personal data from the EU are thus bound to disregard safe harbor principles when they conflict with US legal requirements. Decision 2000/520 does not contain s

Oct 6, 2015 CJEU

Data Protection Commissioner v. Schrems and Facebook

Schrems I

Independence of DPA: The Directive seeks to ensure an effective, complete, and high level of protection of the fundamental rights and freedoms of natural persons. The guarantee of a DPA’s independence is intended to ensure effectiveness and reliability of the monitoring of compliance, and is an essential component of data protection. DPAs powers extend to their own Member State, but not to processing in third countries. However, DPAs are responsible for monitoring transfers from a Member State t

Oct 6, 2015 CJEU

Guidance (69)

View all 69

Richtsnoeren 8/2022 voor het bepalen van de leidende toezichthoudende autoriteit van de verwerkingsverantwoordelijke of de verwerker

guidelines bepalen leidende toezichthouder

Overview

Legal Framework

Key Developments

Practical Guidance

Laws (83)

Artikel 54

Artikel 5

Artikel 6

Artikel 7

Artikel 14

Artikel 17

Artikel 53

Artikel 48

Artikel 50

Artikel 51

Artikel 52

Recital 168

Recital 38

Recital 40

Recital 155

Recital 158

Recital 42

Recital 161

Recital 171

Article 7

Case Law (55)

Raad van State - grondslag - 202004638/1/A3

Rechtbank Rotterdam - rechten van betrokkenen - C/10/613404 / HA ZA 21-150

Rechtbank Rotterdam - recht op schadevergoeding en aansprakelijkheid - ROT 20/3286

Rechtbank Midden-Nederland - grondslag - UTR 20/2315

Data Protection Commissioner v. Facebook Ireland Ltd, and Maximillian Schrems

Data Protection Commissioner v. Facebook Ireland Ltd, and Maximillian Schrems

Rechtbank Amsterdam - recht op schadevergoeding en aansprakelijkheid - C/13/677172 / HA RK 19-435

BUNDESVERBAND DER VERBRAUCHERZENTRALEN UND VERBRAUCHERVERBANDE —BERBRAUCHERZENTRALE BUNDESVERBAND V. PLANET49 GmbH (“PLANET49”)

BUNDESVERBAND DER VERBRAUCHERZENTRALEN UND VERBRAUCHERVERBANDE —BERBRAUCHERZENTRALE BUNDESVERBAND V. PLANET49 GmbH (“PLANET49”)

BUNDESVERBAND DER VERBRAUCHERZENTRALEN UND VERBRAUCHERVERBANDE —BERBRAUCHERZENTRALE BUNDESVERBAND V. PLANET49 GmbH (“PLANET49”)

FASHION ID GmbH & Co. KG v. VERBRAUCHERZENTRALE NRW eV

FASHION ID GmbH & Co. KG v. VERBRAUCHERZENTRALE NRW eV

FASHION ID GmbH & Co. KG v. VERBRAUCHERZENTRALE NRW eV

SERGEJS BUIVIDS v. THE AUGSTĀKĀ TIESA

Peter Puškár v Finančné riaditeľstvo Slovenskej republiky and Kriminálny úrad finančnej správy

Peter Puškár v Finančné riaditeľstvo Slovenskej republiky and Kriminálny úrad finančnej správy

Peter Puškár v Finančné riaditeľstvo Slovenskej republiky and Kriminálny úrad finančnej správy

Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde v Rīgas pašvaldības SIA ‘Rīgas satiksme’

Data Protection Commissioner v. Schrems and Facebook

Data Protection Commissioner v. Schrems and Facebook

Guidance (69)

Richtsnoeren 8/2022 voor het bepalen van de leidende toezichthoudende autoriteit van de verwerkingsverantwoordelijke of de verwerker

Richtsnoeren 1/2019 voor gedragscodes en toezichthoudende organen in de zin van Verordening 2016/679

Versiegeschiedenis

Richtsnoeren 3/2022 betreffende het herkennen en vermijden van misleidende ontwerppatronen in de interfaces van socialemediaplatforms

Richtsnoeren 07/2020 over de begrippen 'verwerkingsverantwoordelijke' en 'verwerker' in de AVG

Richtsnoeren 02/2021 inzake virtuele spraakassistenten

Richtsnoeren 4/2019 inzake artikel 25 Gegevensbescherming door ontwerp en door standaardinstellingen

Richtsnoeren 01/2022 over de rechten van betrokkenen Recht van inzage

Guidelines 3/2019 on processing of personal data through video devices

Richtsnoeren 8/2020 betreffende de targeting van gebruikers van sociale media

Richtsnoeren 2/2023 over het technische topassingsgebied van artikel 5, lid 3, van de eprivacyrichtlijn

Richtsnoeren 3/2018 over het territoriale toepassingsgebied van de AVG (artikel 3)

GROEP GEGEVENSBESCHERMING ARTIKEL 29

Versiegeschiedenis

Richtsnoeren 03/2021 voor de toepassing van artikel 65, lid 1, punt a), AVG

Richtsnoeren 06/2020 inzake de wisselwerking tussen de tweede richtlijn betalingsdiensten en de AVG

Richtsnoeren 07/2022 voor certificering als doorgifte-instrument

Versiegeschiedenis

Richtsnoeren 01/2021

Guidelines 07/2022 on certification as a tool for transfers

News (96)

AI-generated imagery and protection of privacy: EDPB supports joint Global Privacy Assembly’s statement

DSB (Austria) - 2024-0.199.724

EU adds &#8216;innovative solutions&#8217; for migration into €200bn external fund

ICO (UK) - Allay Claims Ltd

SN - I NO 14/23

AEPD (Spain) - EXP202406574

VDAI (Lithuania) - Nr. 3R-219 (2.13-1.E)

AEPD (Spain) - EXP202406574

LG Kassel - 10 O 81/24

SN - I NO 14/23

OLG Dresden - Az. 4 U 196/25

SN - I NO 14/23

EU adds ‘innovative solutions’ for migration into €200bn external fund