Article 6 contains specific requirements that must be met to make the processing of personal data 'lawful'.  These are known variously as the 'legal basis', 'condition', or 'ground', for processing.

In order to process 'special category data', a controller must demonstrate that one of the exceptions to the prohibition on processing special category data applies.  Find out more about processing special category data here  

In respect of 'personal data', processing shall be lawful only if and to the extent that at least one of the following applies:

With the exception of consent, each condition for processing is qualified by the phrase “processing is necessary”.  This phrase has been considered by the Court of Justice of the European Union in Huber v Germany and is generally taken to mean that the processing is “proportionate to the legitimate aim being pursued” (for example, see Stone v SE Coast Strategic Health Authority [2006] EWHC 1668 (Admin)).

Controllers must determine what lawful condition is met for each separate purpose for which personal data is processed as this is required:

If no lawful basis applies then your processing will be unlawful and in breach of this principle.

Lawfulness also means that you don’t do anything with the personal data which is unlawful in a more general sense. This includes statute and common law obligations, whether criminal or civil. If processing involves committing a criminal offence, it will obviously be unlawful. However, processing may also be unlawful if it results in:

These are just examples, and this list is not exhaustive. You may need to take your own legal advice on other relevant legal requirements.

If you have processed personal data unlawfully, the Applied GDPR gives individuals the right to erase that data or restrict your processing of it.