Article 6 GDPR
Lawful compliance of the processing

1. Processing is lawful only if, and to the extent that, one or more of the following conditions are met:

(a) the data subject has consented to the processing of his personal data for one or more specified purposes;

(b) the processing is necessary for the performance of a contract to which the data subject is a party or to take action at the request of the data subject before the conclusion of the contract;

(c) the processing is necessary to fulfil the legal obligation imposed on the controller;

(d) the processing is necessary to protect the vital interests of the data subject or of another natural person;

(e) the processing is necessary for the performance of a task carried out in the public interest or in the exercise of public authority entrusted to the administrator;

(f) the processing is necessary for the purposes arising from legitimate interests pursued by the controller or by a third party, except where the interests or fundamental rights and freedoms of the data subject which require the protection of personal data have a primacy over those interests, in particular where the data subject is a child.

The first subparagraph of point (f) shall not apply to processing carried out by public authorities in the performance of their tasks.

2. Member States may retain or introduce more specific provisions to adapt the application of this Regulation to processing intended to fulfill the conditions of paragraph 1(c) and (e); to this end, they may further specify specific processing requirements and other measures to ensure the lawfulness and fairness of the processing, including in other specific processing situations provided for in Chapter IX.

3. The basis for the processing referred to in paragraph 1 (c) and (e) must be specified:

(a) in Union law; or

(b) the law of the Member State to which the administrator is subject.

The purpose of the processing must be specified in this legal basis or, in the case of processing referred to in paragraph 1(e), it must be necessary for the performance of a task carried out in the public interest or in the exercise of public authority vested in the controller. The legal basis may contain specific provisions adapting the application of the provisions of this Regulation, including: the general conditions for the lawfulness of processing by the controller; the type of data to be processed; the data subjects; the entities to which the personal data may be disclosed; the purposes for which the personal data may be disclosed; purpose restrictions; retention periods; and the processing operations and procedures, including measures to ensure the lawfulness and fairness of the processing, including in other specific processing situations referred to in Chapter IX. Union law or the law of a Member State must serve a public interest purpose, and be proportionate to the designated legitimate purpose.

4. If processing for a purpose other than the purpose for which the personal data were collected is not based on the data subject’s consent or on Union or Member State law constituting a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1), the controller — in order to determine whether processing for another purpose is compatible with the purpose for which the personal data were originally collected — shall take into account, inter alia:

(a) any relationship between the purposes for which personal data were collected and the purposes for which further processing is intended;

(b) the context in which the personal data were collected, in particular the relationship between data subjects and the controller;

(c)

*

the nature of the personal data, in particular whether special categories of personal data are being processed in accordance with Article 9 or personal data relating to criminal convictions and offenses in accordance with Article 10;

(d) any consequences of the intended further processing for data subjects;

(e) the existence of appropriate safeguards, including possible encryption or pseudonymisation.