# GDPR Article 6 — Lawfulness of processing

> The six legal bases for processing personal data: consent, contract, legal obligation, vital interests, public task, and legitimate interests.

Citation: *Regulation (EU) 2016/679*  
Last reconciled with canonical source: 2026-04-25  
Canonical: https://eur-lex.europa.eu/eli/reg/2016/679/oj  
Source: https://consenttheater.org/law/gdpr/art-6/

---

## In plain language

Article 6 is the heart of the GDPR. Before any organisation processes your personal data, it has to be able to point to one of **six lawful bases**. No basis, no processing — full stop.

Those six bases are:

1. **Consent** — you said yes (and the conditions in Article 7 are met).
2. **Contract** — processing is necessary to fulfil a contract with you, or to take steps at your request before entering one.
3. **Legal obligation** — the law requires the controller to process the data (e.g., tax-record retention).
4. **Vital interests** — processing is needed to protect someone's life.
5. **Public task** — the controller is exercising official authority or a task in the public interest.
6. **Legitimate interests** — the controller's interests are not overridden by your rights and freedoms. This is the most contested basis; it requires a balancing test and explicit reasoning.

For tracking on the open web, only consent (Article 6(1)(a)) and legitimate interests (Article 6(1)(f)) realistically apply. Most ad-tech, retargeting and cross-site profiling falls outside any defensible legitimate-interest argument because the interference with the data subject is too significant and consent is the only sustainable basis. That is why *strict consent* trackers in our catalogue need explicit consent to be lawful.

**UK:** Article 6 of the [UK GDPR](/law/uk-gdpr-and-pecr/) uses identical text and the same six lawful bases. The ICO interprets legitimate-interests under 6(1)(f) similarly to most EU authorities — narrow for ad-tech, generous for genuine functional needs.

## How we use this on consenttheater.org

- [Strict consent](/methodology/#required-strict) trackers are ones for which **only Article 6(1)(a) consent** is realistic — there is no defensible legitimate-interest claim under 6(1)(f).
- [Consent required](/methodology/#required) trackers also practically need 6(1)(a) consent under prevailing EU readings, even though operators sometimes attempt 6(1)(f) arguments.
- [Contested](/methodology/#contested) trackers are the ones where some authorities accept narrowly-scoped 6(1)(f) legitimate-interest reasoning and others insist on 6(1)(a) consent.

## Original text

Reproduced verbatim from *Regulation (EU) 2016/679*, published by the Publications Office of the European Union on [eur-lex.europa.eu](https://eur-lex.europa.eu/eli/reg/2016/679/oj). The official source is authoritative; this rendering is a navigation convenience.

> **1.** Processing shall be lawful only if and to the extent that at least one of the following applies:
>
> **(a)** the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
>
> **(b)** processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
>
> **(c)** processing is necessary for compliance with a legal obligation to which the controller is subject;
>
> **(d)** processing is necessary in order to protect the vital interests of the data subject or of another natural person;
>
> **(e)** processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
>
> **(f)** processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
>
> Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.
>
> **2.** Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation with regard to processing for compliance with points (c) and (e) of paragraph 1 by determining more precisely specific requirements for the processing and other measures to ensure lawful and fair processing including for other specific processing situations as provided for in Chapter IX.
>
> **3.** The basis for the processing referred to in point (c) and (e) of paragraph 1 shall be laid down by:
>
> **(a)** Union law; or
>
> **(b)** Member State law to which the controller is subject.
>
> The purpose of the processing shall be determined in that legal basis or, as regards the processing referred to in point (e) of paragraph 1, shall be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. That legal basis may contain specific provisions to adapt the application of rules of this Regulation, inter alia: the general conditions governing the lawfulness of processing by the controller; the types of data which are subject to the processing; the data subjects concerned; the entities to, and the purposes for which, the personal data may be disclosed; the purpose limitation; storage periods; and processing operations and processing procedures, including measures to ensure lawful and fair processing such as those for other specific processing situations as provided for in Chapter IX. The Union or the Member State law shall meet an objective of public interest and be proportionate to the legitimate aim pursued.
>
> **4.** Where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject's consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1), the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia:
>
> **(a)** any link between the purposes for which the personal data have been collected and the purposes of the intended further processing;
>
> **(b)** the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller;
>
> **(c)** the nature of the personal data, in particular whether special categories of personal data are processed, pursuant to Article 9, or whether personal data related to criminal convictions and offences are processed, pursuant to Article 10;
>
> **(d)** the possible consequences of the intended further processing for data subjects;
>
> **(e)** the existence of appropriate safeguards, which may include encryption or pseudonymisation.

Prefer the canonical version? [Open this article on eur-lex.europa.eu →](https://eur-lex.europa.eu/eli/reg/2016/679/oj)

---

## Reproduction notice

The text reproduced on this page is taken from the consolidated version of *Regulation (EU) 2016/679*, an official act of the European Union. EU legislative texts are excluded from copyright protection (recital 22 of Directive (EU) 2019/790). ConsentTheater is not affiliated with, endorsed by, or sponsored by any EU institution. For binding legal use always consult the official source on [eur-lex.europa.eu](https://eur-lex.europa.eu/eli/reg/2016/679/oj). We re-verify each reproduction against the canonical text on the date shown at the top of this page.