π― Master Article 6 for CIPP/E Success
Understanding lawful basis is fundamental to GDPR compliance and CIPP/E exam success. This guide provides comprehensive coverage of all six lawful bases, including the complex legitimate interests assessment, practical scenarios, common pitfalls, and exam-specific strategies. Learn when to apply each basis, how they interact, and critical restrictions you must know.
The Foundation: Understanding Lawful Basis
Article 6 of GDPR establishes that processing personal data is prohibited unless you have a lawful basis. This isn't just a technicalityβit's the cornerstone of data protection law. Every single processing activity must be linked to at least one of the six lawful bases, and choosing incorrectly can lead to significant fines and exam failure.
β οΈ Critical Exam Concepts
- One is Enough: You only need ONE lawful basis, not multiple
- No Switching: Cannot change basis mid-processing without new purpose
- Document Everything: Must be able to demonstrate which basis applies
- Purpose Limitation: Basis must match the specific processing purpose
- Special Categories: Article 6 PLUS Article 9 exception required
The Six Lawful Bases: Complete Analysis
Consent
The data subject has given clear affirmative consent
When to Use Consent
- Marketing communications and newsletters
- Non-essential cookies and tracking
- Optional services or features
- Research participation
- When you want maximum flexibility for data subjects
Requirements (Article 7)
- Demonstrable: Controller must prove consent was given
- Clear request: Intelligible, easily accessible, plain language
- Distinguishable: Separated from other matters
- Withdrawable: As easy to withdraw as to give
- Freely given: No imbalance of power, no conditionality
- Specific: For defined purposes
- Informed: Data subject knows what they're agreeing to
- Unambiguous: Clear affirmative action required
β Valid Consent Scenarios
- User actively ticks unchecked box for marketing emails
- Customer chooses cookie preferences with granular options
- Research participant signs detailed consent form
- Website visitor opts into optional analytics with clear explanation
β Invalid Consent Scenarios
- Pre-ticked boxes or opt-out mechanisms
- Bundled consent for multiple unrelated purposes
- Employment "consent" where refusal affects job
- Service conditional on unnecessary data processing consent
- Silence, inactivity, or merely proceeding with service
Contract
Processing is necessary for contract performance
When to Use Contract Basis
- Delivering goods or services purchased by data subject
- Processing payment information
- Account creation and management
- Customer service and support
- Pre-contractual steps at data subject's request
Key Requirement: Necessity Test
Processing must be objectively necessary for the specific contract. This means:
- Contract cannot be performed without this processing
- No reasonable alternative exists
- Processing is proportionate to contract purpose
β Valid Contract Basis
- Processing delivery address for online purchase
- Bank processing transactions for account holder
- Telecom provider processing call records for billing
- Employer processing salary information for employment contract
β Not Necessary for Contract
- Marketing based on purchase history
- Profiling for personalized recommendations
- Sharing data with third parties for their purposes
- Building profiles for future services
Legal Obligation
Processing is necessary for compliance with legal obligation
When to Use Legal Obligation
- Tax reporting and financial regulations
- Employment law requirements
- Health and safety obligations
- Anti-money laundering (AML) checks
- Court orders and legal proceedings
- Statutory record-keeping requirements
Important Considerations
- Must be EU or Member State law (not third country law alone)
- Obligation must be on the controller specifically
- Processing must be necessary to meet obligation
- Cannot use for obligations you voluntarily assumed
β Valid Legal Obligation
- Employer reporting employee taxes to authorities
- Bank conducting KYC checks under AML regulations
- Company maintaining accident records under H&S law
- Hospital reporting notifiable diseases
β Not a Legal Obligation
- Industry best practices or standards (unless legally mandated)
- Contractual obligations to third parties
- US legal requirements (without EU law basis)
- Voluntary certification requirements
Vital Interests
Processing necessary to protect someone's life
When to Use Vital Interests
- Medical emergencies where person is unconscious
- Humanitarian crises and disaster response
- Life-threatening situations requiring immediate action
- Epidemic/pandemic contact tracing (in extreme cases)
Strict Requirements
- Life or death: Must be essential to someone's life
- No other basis available: Last resort only
- Can protect third parties: Not limited to data subject
- Cannot use if subject objects: When capable of consent
β Valid Vital Interests
- Hospital processing unconscious patient's medical data
- Sharing data to locate missing person in danger
- Emergency services accessing medical alert information
β Not Vital Interests
- General public health monitoring
- Preventive medicine (use other basis)
- Financial hardship or property damage
- Convenience in medical treatment
Public Task
Processing necessary for task in the public interest or official authority
When to Use Public Task
- Public administration and government services
- Law enforcement (outside LED scope)
- Public health monitoring and research
- Educational institutions (public)
- Regulatory compliance and supervision
Key Requirements
- Legal basis required: Task must be laid down in law
- Public body usual user: Mainly for official authorities
- Can include private bodies: When performing public functions
- No consent needed: But subject can object (Article 21)
β Valid Public Task
- Tax authority processing tax returns
- Public university maintaining student records
- Electoral commission processing voter registration
- Public health authority tracking disease outbreaks
Legitimate Interests β Most Complex
Balanced against data subject's interests and rights
When to Use Legitimate Interests
- Marketing to existing customers (soft opt-in)
- Fraud prevention and security
- Internal administrative purposes
- Network and information security
- Employee monitoring (proportionate)
- Debt recovery
- Physical security and access control
π The Three-Part LIA Test (MANDATORY)
Part 1: Purpose Test
- Is there a legitimate interest?
- Is it lawful and ethical?
- Is it clearly articulated?
Part 2: Necessity Test
- Is processing necessary for the interest?
- Can the interest be achieved another way?
- Is processing proportionate?
Part 3: Balancing Test
- What is the impact on individuals?
- Are their interests overridden?
- What safeguards can be implemented?
Factors Favoring Controller
- Processing is not intrusive
- Limited/non-sensitive data
- Data subjects expect the processing
- Significant legitimate interest
- Additional safeguards in place
Factors Favoring Data Subject
- Sensitive or special category data
- Data about children
- Large scale processing
- Unexpected processing
- Risk of harm or distress
- No ability to opt-out
β Legitimate Interests Likely Valid
- CCTV in retail store for security (with signs)
- Sharing within corporate group for admin
- Marketing similar products to existing customers
- Fraud detection systems
β Interests Likely Overridden
- Covert monitoring of employees
- Selling data to third parties
- Profiling children for marketing
- Processing sensitive data without safeguards
Choosing the Right Lawful Basis: Decision Framework
π Lawful Basis Selection Flowchart
β YES: Use Legal Obligation (c)
β YES: Consider Vital Interests (d)
β YES: Use Public Task (e)
β YES: Use Contract (b)
β YES: Use Legitimate Interests (f) with documented LIA
β YES: Use Consent (a)
β NO: Reconsider if processing is lawful at all
Comparison Table: Key Characteristics
| Basis | Subject Can Object? | Can Withdraw? | Documentation Needed | Flexibility |
|---|---|---|---|---|
| Consent | N/A (can withdraw) | β Yes, anytime | Proof of consent | High |
| Contract | β No | β No | Contract terms | Low |
| Legal Obligation | β No | β No | Legal reference | None |
| Vital Interests | β No | β No | Emergency records | None |
| Public Task | β Yes (Art. 21) | β No | Legal authority | Low |
| Legitimate Interests | β Yes (Art. 21) | β No | LIA documentation | Medium |
Common Exam Scenarios and Solutions
Scenario 1: Employee Monitoring
Question: Company wants to monitor employee emails for security.
Answer: Legitimate interests (with strong safeguards) or legal obligation (if required by law). NOT consent due to power imbalance.
Scenario 2: Customer Database for Marketing
Question: Online retailer wants to send promotional emails.
Answer: Consent for prospects; legitimate interests possible for existing customers (soft opt-in) with right to object.
Scenario 3: School Processing Student Data
Question: Public school maintaining student records.
Answer: Public task (if public school) or legal obligation (if required by education law). Photos for yearbook: consent.
Scenario 4: Hospital Emergency Treatment
Question: Hospital treating unconscious patient.
Answer: Vital interests for emergency treatment; switch to healthcare provision (Article 9(h)) once stable.
Top 10 Exam Tips for Lawful Basis Questions
- One is enough: Never argue multiple bases unless specifically asked to consider alternatives
- Cannot switch: Changing basis requires new purpose and fresh transparency
- Document choice: Accountability requires documenting basis selection reasoning
- "Necessary" is strict: More than useful, less than essential - proportionality matters
- Special categories need both: Article 6 basis PLUS Article 9 exception
- Public authorities limited: Cannot use legitimate interests in official capacity
- Employee consent suspect: Power imbalance usually invalidates employee consent
- Marketing splits: Consent for prospects, legitimate interests possible for customers
- Children require extra care: Their interests nearly always override controller's
- Transparency links: Must inform about specific basis in privacy notice
Practice Lawful Basis Questions
Master Article 6 with hundreds of scenario-based questions covering all lawful bases and LIA assessments.
Final Thoughts: Mastery Through Practice
Understanding lawful basis is not just about memorizing six optionsβit's about developing judgment to apply them correctly in complex scenarios. The CIPP/E exam will test your ability to:
- Quickly identify the appropriate basis for various scenarios
- Understand the limitations and requirements of each basis
- Recognize when legitimate interests assessment is needed
- Spot invalid consent situations
- Apply the necessity test correctly
Focus your study on practicing scenario-based questions. Real mastery comes from applying these concepts to diverse situations, not just memorizing rules. Remember that in the real world and on the exam, context is everythingβthe same processing activity might require different bases depending on the controller, purpose, and data subjects involved.