Article 6U.K.Lawfulness of processing
1.Processing shall be lawful only if and to the extent that at least one of the following applies:
(a)the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b)processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c)processing is necessary for compliance with a legal obligation to which the controller is subject;
(d)processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e)processing is necessary for the performance of a task [F1of the controller] carried out in the public interest or [F2a task carried out] in the exercise of official authority vested in the controller;
[F3(ea)processing is necessary for the purposes of a recognised legitimate interest;]
(f)processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
[F4Point (f)][F4Points (ea) and (f)] of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.
F52.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.The basis for the processing referred to in point (c) F6... of paragraph 1 shall be laid down by [F7domestic law].
[F8The basis for the processing referred to in point (e) of paragraph 1 must be laid down by domestic law or relevant international law (see section 9A of the 2018 Act).]
The purpose of the processing shall be determined in that legal basis or, as regards the processing referred to in point (e) of paragraph 1, shall be necessary for the performance of a task [F9of the controller] carried out in the public interest or [F10a task carried out] in the exercise of official authority vested in the controller. That legal basis may contain specific provisions to adapt the application of rules of this Regulation, inter alia: the general conditions governing the lawfulness of processing by the controller; the types of data which are subject to the processing; the data subjects concerned; the entities to, and the purposes for which, the personal data may be disclosed; the purpose limitation; storage periods; and processing operations and processing procedures, including measures to ensure lawful and fair processing such as those for other specific processing situations as provided for in Chapter IX. [F11The domestic law] [F12or relevant international law] shall meet an objective of public interest and be proportionate to the legitimate aim pursued.
4.Where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject's consent or on [F13domestic law] which constitutes a necessary and proportionate measure in a democratic society to safeguard [F14national security, defence or any of] the objectives referred to in Article 23(1), the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia:
(a)any link between the purposes for which the personal data have been collected and the purposes of the intended further processing;
(b)the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller;
(c)the nature of the personal data, in particular whether special categories of personal data are processed, pursuant to Article 9, or whether personal data related to criminal convictions and offences are processed, pursuant to Article 10;
(d)the possible consequences of the intended further processing for data subjects;
(e)the existence of appropriate safeguards, which may include encryption or pseudonymisation.
[F155.For the purposes of paragraph 1(ea), processing is necessary for the purposes of a recognised legitimate interest only if it meets a condition in Annex 1.
6.The Secretary of State may by regulations amend Annex 1 by—
(a)adding or varying provisions, or
(b)omitting provisions added by regulations made under this paragraph.
7.The Secretary of State may only make regulations under paragraph 6 where—
(a)the requirement in paragraph 8 is satisfied, and
(b)if the regulations add a case to Annex 1, the requirement in paragraph 9 is also satisfied.
8.The requirement in this paragraph is that the Secretary of State considers it appropriate to make the regulations having regard to, among other things—
(a)the interests and fundamental rights and freedoms of data subjects which require protection of personal data, and
(b)where relevant, the fact that children merit specific protection with regard to their personal data because they may be less aware of the risks and consequences associated with processing of personal data and of their rights in relation to such processing.
9.The requirement in this paragraph is that the Secretary of State considers that processing in the case to be added to Annex 1 is necessary to safeguard an objective listed in Article 23(1)(c) to (j).
10.Regulations under paragraph 6 are subject to the affirmative resolution procedure.
11.For the purposes of paragraph 1(f), examples of types of processing that may be processing that is necessary for the purposes of a legitimate interest include—
(a)processing that is necessary for the purposes of direct marketing,
(b)intra-group transmission of personal data (whether relating to clients, employees or other individuals) where that is necessary for internal administrative purposes, and
(c)processing that is necessary for the purposes of ensuring the security of network and information systems.
12.In paragraph 11—
“intra-group transmission” means transmission between members of a group of undertakings or between members of a group of institutions affiliated to a central body;
“security of network and information systems” has the same meaning as in the Network and Information Systems Regulations 2018 (S.I. 2018/506) (see regulation 1(3)(g)).]
Textual Amendments
F1Words in Art. 6(1)(e) inserted (19.6.2025 for specified purposes) by Data (Use and Access) Act 2025 (c. 18), ss. 70(2)(a)(i), 142(1)(2)(h)
F2Words in Art. 6(1)(e) inserted (19.6.2025 for specified purposes) by Data (Use and Access) Act 2025 (c. 18), ss. 70(2)(a)(ii), 142(1)(2)(h)
F3Art. 6(1)(ea) inserted (19.6.2025 for specified purposes) by Data (Use and Access) Act 2025 (c. 18), ss. 70(2)(b), 142(1)(2)(h)
F4Words in Art. 6(1) substituted (19.6.2025 for specified purposes) by Data (Use and Access) Act 2025 (c. 18), ss. 70(2)(c), 142(1)(2)(h)
F5Art. 6(2) omitted (31.12.2020) by virtue of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 7(2) (with reg. 5, Sch. 1 para. 80); 2020 c. 1, Sch. 5 para. 1(1)
F6Words in Art. 6(3) omitted (20.8.2025) by virtue of Data (Use and Access) Act 2025 (c. 18), ss. 72(2)(a), 142(1); S.I. 2025/904, reg. 2(b)
F7Words in Art. 6(3) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 7(3)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F8Words in Art. 6(3) inserted (20.8.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 72(2)(b), 142(1); S.I. 2025/904, reg. 2(b)
F9Words in Art. 6(3) inserted (19.6.2025 for specified purposes) by Data (Use and Access) Act 2025 (c. 18), ss. 70(3)(a), 142(1)(2)(h)
F10Words in Art. 6(3) inserted (19.6.2025 for specified purposes) by Data (Use and Access) Act 2025 (c. 18), ss. 70(3)(b), 142(1)(2)(h)
F11Words in Art. 6(3) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 7(3)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F12Words in Art. 6(3) inserted (20.8.2025) by Data (Use and Access) Act 2025 (c. 18), ss. 72(2)(c), 142(1); S.I. 2025/904, reg. 2(b)
F13Words in Art. 6(4) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 7(4)(a) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F14Words in Art. 6(4) inserted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 1 para. 7(4)(b) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
F15Art. 6(5)-(12) inserted (19.6.2025 for specified purposes) by Data (Use and Access) Act 2025 (c. 18), ss. 70(4), 142(1)(2)(h)