Understanding Article 6 GDPR: Lawful Bases for Processing Personal Data in Business Operations

If your business collects, uses or even just stores customer or employee data, you’ve likely heard you need to comply with GDPR. But when it comes to actually following these rules, one question gets asked more than any other: “What makes it lawful to process someone’s personal information, anyway?”

That’s exactly where Article 6 GDPR comes in. Think of it as the foundation for making sure your business’s day-to-day use of personal data won’t land you in hot water with the ICO-or damage the trust you’ve built with customers.

In this guide, we’re tackling Article 6 GDPR in plain English. If you’re a business owner, manager or someone simply responsible for data protection, keep reading to find out how to meet your legal obligations, avoid common pitfalls, and set your business up for compliance from day one.

What Is Article 6 GDPR? Why Does It Matter For UK Businesses?

Article 6 of the General Data Protection Regulation (GDPR) sets out the legal grounds-called “lawful bases”-that permit a business to process personal data. In other words, unless one of the six lawful bases applies, processing that data is unlawful-no matter how big or small your company is.

The UK GDPR (the UK’s own version post-Brexit, but still nearly identical to the EU version) makes compliance with Article 6 mandatory for every business that handles personal data. And yes-“personal data” covers anything from names and email addresses to customer purchase history and even employee records.

Ignoring Article 6 can lead to more than just complaints. The UK’s Information Commissioner’s Office (ICO) has the power to issue heavy fines and take enforcement action if you process personal data unlawfully. But the impact goes deeper-customers expect their privacy to be protected, and respecting Article 6 helps earn their trust.

Which Activities Are Covered By Article 6 GDPR?

If you’re not sure whether Article 6 GDPR applies to your business, here’s a quick test: do you collect, use, store, analyse, or delete data about individuals-whether customers, website visitors, staff, or suppliers? If so, you’re “processing personal data,” and Article 6 applies.

Common examples include:

• Running email marketing campaigns (using subscribers’ details)
• Managing a customer loyalty scheme
• Processing online orders and shipping products
• Keeping records of your employees for HR, payroll or training
• Analysing website traffic linked to user accounts
• Gathering feedback or reviews that mention names or contact info

If it’s information that helps identify a living person-even indirectly-it falls under GDPR. That means choosing a lawful basis under Article 6 is a step you simply can’t skip.

Want to know more about the difference between personal data, special category data, and anonymous information? Check out our guide to personal data types.

What Are The Six Lawful Bases Under Article 6 GDPR?

The core of Article 6 GDPR is straightforward: you must always have a recognised reason-one of six-to justify your processing of personal data. Picking the right basis and being able to demonstrate it is key for lawful compliance.

Here’s a quick overview of the six lawful bases:

1. Consent: The individual has given clear permission for you to process their data for a specific purpose.
2. Contract: Processing is necessary to perform a contract with the individual (or before entering into a contract).
3. Legal Obligation: You need to process the data to comply with a legal duty (not including contractual obligations).
4. Vital Interests: Processing is necessary to protect someone’s life (usually very rare for most businesses).
5. Public Task: Processing is needed to perform a task in the public interest or exercise official authority (mainly public sector bodies).
6. Legitimate Interests: Processing is necessary for your business’s legitimate interests-or those of a third party-unless overridden by the data subject’s rights.

Let’s take a closer look at each, including practical business examples.

How Do The Lawful Bases Work In Real Business Situations?

1. Consent

Consent must be freely given, specific, informed, and unambiguous. This means you need to make it simple for someone to say yes or no, and explain what they’re agreeing to in plain language. Consent works well for:

• Newsletter sign-ups (where you aren’t relying on another basis)
• Marketing emails-unless you’re using the “soft opt-in” for certain existing customers
• Collecting sensitive (“special category”) data-for example, health information

Remember, consent must be recorded, and you need an easy way for people to withdraw it at any time.

For more help, see our GDPR consent forms guide.

2. Contract

If processing personal data is necessary to provide a service or sell a product (that the customer or employee has contracted for), this is your lawful basis. Use “contract” for:

• Taking payment and delivering products or services bought online
• Managing employee payroll or benefits as required by employment contracts

You can’t rely on contract for things that go beyond what’s needed to fulfil the actual contract-for that, check other bases.

3. Legal Obligation

This basis covers situations where UK law (other than a contract) requires you to process certain data. For example:

• Reporting employee earnings to HMRC
• Keeping VAT records
• Complying with anti-money laundering checks

If you’re processing data only because you’re legally obliged to (not by internal choice), this is the correct basis.

For a breakdown of what records you must keep as a sole trader, see our guide to sole trader recordkeeping.

4. Vital Interests

This is rarely relevant for most commercial businesses. It applies only where processing data is truly necessary to protect someone’s life-for example, in a medical emergency.

5. Public Task

If you’re carrying out tasks as a public authority, or acting in the public interest (like certain regulatory or public sector activities), this is your basis-not typically used by private businesses.

6. Legitimate Interests

For many UK businesses, legitimate interests is the most flexible and common basis. But-it’s also the most challenging to get right. You must balance your business’s needs against the individual’s privacy rights.

Examples where “legitimate interests” could apply:

• Direct marketing activities that don’t rely on consent
• Preventing fraud or security threats
• Improving your services or products after a sale
• Network and IT security monitoring

If you rely on legitimate interests, you’re expected to carry out and document a “legitimate interests assessment” (LIA), showing you’ve thought about the risks and taken steps to minimise impact on individuals’ rights.

Wondering how all this fits with your privacy obligations? Our GDPR essentials guide breaks down privacy compliance in even more detail.

How To Choose The Right Lawful Basis For Your Business

Deciding which basis to use depends on three things:

• Your purpose for processing the data
• Whether the processing is actually necessary for that purpose
• If that basis is permitted under Article 6-and you don’t have a less intrusive alternative

You must decide this before you start collecting data-and you can’t “swap” bases later unless you have a really good reason. Also, make sure you clearly explain in your Privacy Policy which lawful bases you use for each processing activity.

What Documentation And Processes Should You Have?

Article 6 GDPR isn’t just about theory-your business needs to prove how you’ve picked a lawful basis.

• A detailed Privacy Policy that spells out your lawful basis for each category of data you collect and process
• Records of processing activities (ROPA), as required by Article 30 GDPR, showing your chosen lawful bases
• Consent logs, if you rely on consent (make it easy for people to withdraw at any time)
• Contracts that reflect data protection duties with staff, suppliers, or contractors
• Legitimate Interests Assessments (LIAs) where relevant

Without these documents, you risk failing an ICO audit-and could face penalties if a complaint is raised. For a full checklist, see our guide to UK GDPR compliance.

What Happens If You Get Article 6 GDPR Wrong?

If you process personal data without a valid lawful basis under Article 6 GDPR, you could face:

• ICO investigations and formal enforcement action
• Hefty fines-up to £17.5 million or 4% of global annual turnover for serious breaches
• Legal claims from affected individuals
• Severe damage to your business’s reputation and customer trust

Perhaps even more concerning, sloppy data handling might mean missed sales opportunities, lost business partnerships, or an inability to operate in key markets.

It can be overwhelming to map out your compliance, but it’s far easier-and cheaper!-to get things right before an issue arises.

How Does Article 6 GDPR Fit With Other UK Data Laws?

The UK GDPR works alongside the Data Protection Act 2018, the PECR (Privacy and Electronic Communications Regulations), and other sector-specific requirements. In practice, Article 6 forms the main “gateway” for any processing-but other laws may add extra layers of duty, especially for marketing or employee data.

• If you’re planning to send marketing emails, you’ll also need to follow PECR rules. See our PECR and marketing guide
• If you process “special category data”-think about health, biometric, or criminal conviction details-you’ll need a lawful basis and meet extra conditions for processing

Keep in mind: having a lawful basis doesn’t mean you can ignore other legal requirements, such as keeping data secure, dealing with subject access requests, or honouring deletion rights. Our privacy law overview explains how these rules work together.

What Are The Next Steps To Make Sure Your Business Is Article 6 GDPR Compliant?

Protecting your business starts with a clear process:

1. Map out every way you collect and use personal data (from website cookies to HR to marketing)
2. Decide on the purposes for each type of processing
3. Select the appropriate lawful basis for each (and document your reasoning)
4. Update your Privacy Policy to reflect these choices
5. Train your team so everyone understands the basis for the data they handle
6. Keep clear records to prove your compliance if the ICO comes calling

If you’re ever unsure which lawful basis to pick-or how to document it-it’s smart to seek advice. Data protection is an area where cutting corners can create more work, cost, and risk down the track.

Remember: addressing legal requirements upfront will protect your business as it grows, attract customer trust, and let you operate with confidence.

Key Takeaways

• Article 6 GDPR is the cornerstone of lawful data processing for every UK business-without a valid lawful basis, your data handling is unlawful
• There are six lawful bases under Article 6 GDPR: consent, contract, legal obligation, vital interests, public task, and legitimate interests
• You must decide your lawful basis before collecting any personal data-and document your choices clearly in your policies and records
• Consent is only valid if it’s freely given, informed, and can be withdrawn at any time-keep a record!
• Legitimate interests is flexible, but requires a documented balancing test
• Failure to comply with Article 6 GDPR can mean severe fines and reputational damage
• Article 6 is just the first step-be sure to follow all other GDPR and UK data privacy rules
• Getting your compliance right from day one helps you avoid risk, win customer trust, and future-proof your business

If you’d like advice on ensuring your business is fully GDPR compliant-or need help drafting a compliant Privacy Policy, data mapping, or handling customer data-reach out for a free, no-obligations chat on 08081347754 or team@sprintlaw.co.uk.