Article 6 contains specific requirements that must be met to make the processing of personal data 'lawful'. These are known variously as the 'legal basis', 'condition', or 'ground', for processing.
In order to process 'special category data', a controller must demonstrate that one of the exceptions to the prohibition on processing special category data applies. Find out more about processing special category data here
In respect of 'personal data', processing shall be lawful only if and to the extent that at least one of the following applies:
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation laid down by Manx law or Union law as applied to the Island to which the controller is subject;
- processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller which is laid down by Manx law or Union law as applied to the Island;
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. (NOT applicable to processing of personal data carried out by a public authority in the performance of their tasks).
With the exception of consent, each condition for processing is qualified by the phrase “processing is necessary”. This phrase has been considered by the Court of Justice of the European Union in Huber v Germany and is generally taken to mean that the processing is “proportionate to the legitimate aim being pursued” (for example, see Stone v SE Coast Strategic Health Authority  EWHC 1668 (Admin)).
Controllers must determine what lawful condition is met for each separate purpose for which personal data is processed as this is required:
- to be given to data subjects in transparency information;
- to establish whether an individual can exercise:
- to comply with any withdrawal of consent if that is the only legal ground for processing
- to enable the controller to describe to an individual what 'legitimate interest' it has in the processing of that personal data and how the processing does not affect the interests or fundamental rights and freedoms of the individual concerned, if that is the only legal ground for processing.
If no lawful basis applies then your processing will be unlawful and in breach of this principle.
Lawfulness also means that you don’t do anything with the personal data which is unlawful in a more general sense. This includes statute and common law obligations, whether criminal or civil. If processing involves committing a criminal offence, it will obviously be unlawful. However, processing may also be unlawful if it results in:
- a breach of a duty of confidence;
- your organisation exceeding its legal powers or exercising those powers improperly;
- an infringement of copyright;
- a breach of an enforceable contractual agreement;
- a breach of industry-specific legislation or regulations; or
- a breach of the European Convention of Human Rights.
These are just examples, and this list is not exhaustive. You may need to take your own legal advice on other relevant legal requirements.
If you have processed personal data unlawfully, the Applied GDPR gives individuals the right to erase that data or restrict your processing of it.