SkarpSkarp

Chapter 5 of 13

GDPR Principles and Legal Bases: Lawfulness, Fairness and Purpose

Unpack the heart of the GDPR—its principles and legal bases—and see how subtle differences between consent, contract, legitimate interest and other grounds become decisive in tricky multiple‑choice questions.

15 min readen

Step 1 – The Big Picture: Why Principles and Legal Bases Matter

Principles and Legal Bases: The Core Logic

The GDPR’s heart is two questions: are you following the principles (Article 5) and do you have a valid legal basis (Articles 6 and 9)? If either is missing, the processing is unlawful.

Principles vs Legal Bases

Principles are general rules and values that always apply and shape how you design processing. Legal bases are specific doors that can make a particular processing operation lawful.

Exam Relevance

Tricky questions often mix up consent, contract and legitimate interests, or forget special categories. Your goal is to spot principle violations and choose the single best legal basis for each purpose.

Current Context (May 2026)

Since May 2018 the GDPR has applied across the EU. New laws like the Data Act sit alongside it but do not change GDPR principles or legal bases. EDPB and DPAs refine how we interpret the same text.

Step 2 – The GDPR Principles (Article 5) in Plain Language

Lawfulness, Fairness, Transparency

Lawfulness: a valid legal basis. Fairness: no misleading or exploitative use. Transparency: clear, accessible information (e.g. privacy notices) about what you do with data.

Purpose Limitation

Collect data for specific, explicit, legitimate purposes. Do not later use it for a new, incompatible purpose. Some further uses may be compatible if safeguards exist.

Minimisation and Accuracy

Data minimisation: only process data that is necessary. Accuracy: keep data correct and updated, and fix or erase inaccuracies without undue delay.

Storage, Security, Accountability

Storage limitation: do not keep data longer than needed. Integrity/confidentiality: protect data with security measures. Accountability: be able to prove compliance (records, DPIAs, policies).

Step 3 – Spot the Principle: Mini Case Studies

Scenario A – Over‑Curious App

A fitness app collects name, email, constant GPS, full contact list and microphone access, with only "we use your data to improve our services" as explanation. Which principles are mainly at risk?

Scenario B – Never‑Ending CVs

A company keeps applicants’ CVs forever "in case" a role opens, without telling them how long data will be stored. Which principles does this most clearly conflict with?

Scenario C – Wrong Credit Score

A bank uses outdated data that links a customer to another person’s debts, causing a loan refusal. Which principles are most clearly violated here?

Scenario D – Hidden Profiling

A news site profiles users for targeted ads using tracking across partner sites, buried in dense legal text. Think about transparency, fairness, and lawfulness.

Step 4 – Match the Principle

Try this mental matching exercise. You do not need to submit answers; just reason them out and, if you like, write them down.

Task 1 – One‑to‑one matches

Match each short description to the main GDPR principle.

  1. "We only collect the minimum data needed for this specific purpose."
  2. "We delete or anonymise data once we no longer need it."
  3. "We tell people clearly what we do with their data and why."
  4. "We keep records to show that we comply with the GDPR."
  5. "We check regularly that the data we hold is still correct."

Options:

  • A. Accuracy
  • B. Transparency
  • C. Data minimisation
  • D. Storage limitation
  • E. Accountability

Try to assign each number 1–5 to a letter A–E.

Self‑check (no peeking first):

1 → C (Data minimisation)

2 → D (Storage limitation)

3 → B (Transparency)

4 → E (Accountability)

5 → A (Accuracy)

Task 2 – Multi‑principle thinking

For each situation, think of two principles that might be involved.

a) A social media platform changes its privacy policy to use your photos in ads, without clearly informing you.

  • Hint: think about fairness, transparency, purpose limitation, lawfulness.

b) A hospital stores patient records in an unlocked cabinet in a public corridor.

  • Hint: think about integrity/confidentiality, accountability, storage limitation.

c) A shopping app asks for access to your precise location to process a purely digital purchase.

  • Hint: think about data minimisation, fairness, lawfulness.

Reflect: In MCQs, the "best" answer is often the most specific principle clearly violated, even though several are relevant.

Step 5 – Legal Bases in Article 6: The Six Doors

The Six Legal Bases (Art. 6)

For ordinary personal data you must pick one main legal basis per purpose: consent, contract, legal obligation, vital interests, public task, or legitimate interests. Consent is not always the best.

Consent, Contract, Legal Obligation

Consent: freely given, specific, informed, unambiguous, withdrawable. Contract: necessary to perform a contract or pre‑contract steps. Legal obligation: required by EU or Member State law.

Vital Interests and Public Task

Vital interests: necessary to protect life or physical integrity, usually when the person cannot consent. Public task: necessary for a public‑interest task or official authority grounded in law.

Legitimate Interests

Legitimate interests: controller’s or third party’s interest, processing is necessary, and a balancing test shows the interest is not overridden by the data subject’s rights. Needs an LIA in practice.

Step 6 – Special Categories (Article 9) and Their Exceptions

What Are Special Categories?

Special categories (Art. 9) include data on race, politics, religion, trade‑union membership, genetics, biometrics for ID, health, sex life and sexual orientation. They get extra protection.

Double Layer Requirement

For special category data you need both: an Article 6 legal basis and an Article 9(2) condition. Legitimate interests alone is never enough.

Key Exceptions: Consent and Law

Important 9(2) conditions: explicit consent; employment/social protection law; vital interests; non‑profit bodies; data manifestly made public; legal claims; substantial public interest under law.

Health, Public Health, Research

Health and public health processing (9(2)(h),(i)) and research/statistics (9(2)(j)) are allowed with legal bases, safeguards and confidentiality. Widely used in healthcare and scientific projects.

Step 7 – Quick Legal Basis Check

Test your understanding of Article 6 and Article 9 with a focused question.

A private clinic processes patients’ health records to provide medical treatment. Which combination is the **most appropriate** legal framework under the GDPR?

  1. Article 6: Consent; Article 9: Explicit consent
  2. Article 6: Contract (necessary for treatment); Article 9: Health/medical purposes under law
  3. Article 6: Legitimate interests; Article 9: Data manifestly made public
  4. Article 6: Legal obligation; Article 9: Substantial public interest
Show Answer

Answer: B) Article 6: Contract (necessary for treatment); Article 9: Health/medical purposes under law

Providing treatment is normally **necessary for a contract** with the patient (Art. 6(1)(b)), and health data is processed under Art. 9(2)(h) (health/medical purposes, often grounded in national law and professional secrecy). Consent is fragile here because withdrawal could disrupt essential care, so contract + 9(2)(h) is usually more appropriate.

Step 8 – Consent vs Legitimate Interests: How to Choose

Elements of Valid Consent

Consent must be freely given, specific, informed, unambiguous, demonstrable and withdrawable. Pre‑ticked boxes, silence or bundled consent with non‑essential terms are not valid.

Legitimate Interests Assessment (LIA)

An LIA has three parts: purpose test (is the interest legitimate?), necessity test (is processing needed?), and balancing test (do individuals’ rights override the interest?).

When to Use Consent

Use consent for genuinely optional, non‑essential processing where people can refuse without harm, such as many marketing activities or optional features and voluntary research participation.

When to Use Legitimate Interests

Use LI for normal, expected, lower‑impact processing where expectations and safeguards support you, such as basic fraud checks or some internal analytics, with easy opt‑out where appropriate.

Step 9 – Consent or Legitimate Interests?

Choose the best legal basis between consent and legitimate interests for this scenario.

An online bookstore uses customers’ purchase history to recommend similar books on its website **while they are logged in**. This is clearly explained in the privacy notice, and customers expect recommendations. What is the most appropriate legal basis?

  1. Consent, because any profiling always requires consent
  2. Contract, because recommendations are always necessary to deliver the book
  3. Legitimate interests, because recommendations are an expected, low‑impact use with safeguards
  4. Vital interests, because it protects customers from bad purchases
Show Answer

Answer: C) Legitimate interests, because recommendations are an expected, low‑impact use with safeguards

Recommendations based on purchase history are typically an **expected, low‑impact** activity. They are not strictly necessary to deliver the contract (so contract is weak), and profiling does not always require consent. Legitimate interests, supported by transparency and an easy opt‑out, is usually the best fit here.

Step 10 – Key Terms Review

Flip through these flashcards to reinforce the most important concepts from this module.

Lawfulness, fairness, transparency
A combined principle: processing must have a valid legal basis (lawfulness), must not be misleading or exploitative (fairness), and must be clearly explained to individuals (transparency).
Purpose limitation
Data must be collected for specific, explicit, legitimate purposes and not further processed in ways incompatible with those original purposes.
Data minimisation
Only process personal data that is adequate, relevant and limited to what is necessary for the stated purposes.
Storage limitation
Keep personal data in identifiable form no longer than necessary for the purposes for which it is processed.
Accountability
The controller is responsible for and must be able to demonstrate compliance with the GDPR principles (e.g. via records, DPIAs, policies).
Legal bases (Article 6)
The six legal bases are: consent, contract, legal obligation, vital interests, public task, and legitimate interests.
Special categories of data
Sensitive data such as health, genetic, biometric (for ID), racial or ethnic origin, political opinions, religious or philosophical beliefs, trade‑union membership, sex life or sexual orientation.
Article 9(2) conditions
Extra conditions needed for special category data, including explicit consent, employment/social protection law, vital interests, substantial public interest, healthcare, public health, and research.
GDPR‑compliant consent
Consent that is freely given, specific, informed, unambiguous, demonstrable, and can be withdrawn easily at any time.
Legitimate Interests Assessment (LIA)
A structured test for Art. 6(1)(f): identify the interest, check necessity, and balance it against individuals’ rights, documenting the reasoning and safeguards.

Key Terms

Consent
A data subject’s freely given, specific, informed and unambiguous indication of wishes by which they signify agreement to processing of their personal data.
Transparency
The requirement to provide clear, accessible information to individuals about how and why their personal data is processed, including their rights.
Accountability
The principle that controllers are responsible for complying with the GDPR and must be able to demonstrate this compliance through evidence such as policies, records and assessments.
Data minimisation
A principle requiring that only the personal data necessary for each specific purpose is collected and processed.
Purpose limitation
The principle that personal data must be collected for specified, explicit and legitimate purposes and not further processed in incompatible ways.
Legitimate interests
A legal basis under Article 6(1)(f) where processing is necessary for the controller’s or a third party’s legitimate interest, provided this is not overridden by the data subject’s rights and interests.
Article 6 legal bases
The six grounds that can make processing of ordinary personal data lawful: consent, contract, legal obligation, vital interests, public task, and legitimate interests.
Special category data
Categories of personal data listed in Article 9(1) (e.g. health, genetic, biometric for ID, race, political opinions) that attract stronger protection.
Article 9 special categories
A subset of personal data considered particularly sensitive (e.g. health, biometric for ID, political opinions) that requires both an Article 6 legal basis and an Article 9(2) condition.
Legitimate Interests Assessment (LIA)
A structured assessment used to justify legitimate interests, covering purpose, necessity and balancing tests, and documenting safeguards.

Finished reading?

Test your understanding with a custom practice exam on this chapter.

Test yourself