European Union — Lawful Bases for Processing

Article 6(1) GDPR establishes the threshold requirement that every processing operation must satisfy at least one of six lawful bases. Processing is lawful only if and to the extent that at least one of the following applies: (a) consent, (b) contract, (c) legal obligation, (d) vital interests, (e) public task, or (f) legitimate interests. The controller must identify the applicable basis before processing begins; the CJEU and EDPB have repeatedly held that controllers cannot swap between lawful bases after processing has started.

The six bases in detail

Article 6(1)(a) — Consent. The data subject has given consent to the processing of his or her personal data for one or more specific purposes. Consent under the GDPR must be "freely given, specific, informed and unambiguous" (Article 4(11)). It must be as easy to withdraw as to give (Article 7(3)), and withdrawal does not affect the lawfulness of processing before withdrawal. The EDPB has stressed that consent is inappropriate where there is a clear imbalance of power (e.g., employer–employee) or where the service can be provided without the specific processing. Article 8 imposes an additional age-of-consent rule for information-society services offered directly to children: processing is lawful where the child is at least 16 years old (Member States may lower this to 13), and below that age only if parental consent is given.

Article 6(1)(b) — Contract. Processing is necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract. The EDPB's Guidelines 2/2019 make clear that "necessary" is an objective concept: if the service can realistically be provided without the processing, then Article 6(1)(b) does not apply. Behavioural advertising, profiling for product recommendations, and similar "value-added" features are generally not necessary for contract performance unless they form the core of the bargain.

Article 6(1)(c) — Legal obligation. Processing is necessary for compliance with a legal obligation to which the controller is subject. The obligation must be laid down in EU or Member State law that is sufficiently clear and specific; it is not enough for the controller to assert a general business need. The law must specify the purposes and essential elements of the processing (Article 6(3)).

Article 6(1)(d) — Vital interests. Processing is necessary to protect the vital interests of the data subject or of another natural person. This is an emergency basis, construed narrowly. Recital 46 gives the example of humanitarian purposes, epidemic monitoring, or natural disasters. The EDPB guidance emphasises that vital interests should be relied on only when no other basis is available and the data subject is physically or legally incapable of giving consent (e.g., unconscious).

Article 6(1)(e) — Public task. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The task must be laid down by EU or Member State law (Article 6(3)). Point (e) is generally unavailable to private-sector controllers unless they are exercising delegated public functions. Article 6(1), final sentence, explicitly states that point (f) (legitimate interests) does not apply to public authorities performing their tasks — they must rely on (c) or (e).

Article 6(1)(f) — Legitimate interests. Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This is a flexible basis that requires a three-part test (as articulated by the CJEU in Latvijas Republikas Saeima (C‑439/19) and codified in the EDPB's Guidelines 1/2024 on legitimate interests): (1) the interest must be lawful, clearly articulated, real, and present; (2) the processing must be necessary — if there are equally effective but less intrusive alternatives, the processing fails the necessity test; (3) a balancing exercise must show that the controller's interest is not overridden by the data subject's rights and freedoms, taking account of the data subject's reasonable expectations, the nature and sensitivity of the data, and any safeguards applied.

No hierarchy among the bases

The EDPB and CJEU have emphasised that the six bases are of equal legal standing; there is no general hierarchy. A controller must select the basis that fits the specific purpose and stick with it. If processing serves multiple purposes, each purpose needs its own lawful basis (and the transparency obligations under Articles 13 and 14 require the controller to specify which basis applies to which purpose).

Interaction with Article 9 special-category data

For special-category data (racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for unique identification, health data, sex life, or sexual orientation), Article 6(1) remains a necessary but not sufficient condition. The controller must also satisfy one of the Article 9(2) conditions (explicit consent, employment/social-security law, vital interests when the data subject is incapable, processing by a not-for-profit body, data manifestly made public by the data subject, legal claims, substantial public interest, health/social care, public health, or archiving/research/statistics). The two-layer structure means that processing of special-category data for direct marketing, for example, cannot rely on legitimate interests under Article 6(1)(f) unless an Article 9(2) condition is also met — and in practice, explicit consent (Article 9(2)(a)) is typically the only viable route for most commercial uses.

Application date and enforcement

The GDPR entered into force on 24 May 2016 and has applied since 25 May 2018. The European Data Protection Board (EDPB) coordinates the enforcement posture of national supervisory authorities. Failure to establish a valid lawful basis is an infringement of Article 6(1) and can trigger administrative fines of up to €20 million or 4 % of total worldwide annual turnover, whichever is higher (Article 83(5)(a)). Leading enforcement decisions on lawful-basis failures include the Irish DPC's WhatsApp decision (EUR 225 million fine, 2021) for unlawful reliance on contract and legitimate interests for data sharing with Facebook, and the CNIL's Google LLC decision (EUR 90 million, 2020) for lack of valid consent for advertising cookies.

Source: Regulation (EU) 2016/679 (GDPR), Article 6 Source: EDPB Guidelines 5/2020 on consent under Regulation 2016/679 Source: EDPB Guidelines 2/2019 on Article 6(1)(b) GDPR Source: EDPB Guidelines 1/2024 on Article 6(1)(f) GDPR

Article 9(1) GDPR imposes a general prohibition on processing personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation. This prohibition operates as a default ban; processing is unlawful unless the controller satisfies one of the ten conditions in Article 9(2). The CJEU has made clear that Article 9(1) covers not only data that are inherently sensitive but also data that reveal information of that nature indirectly, following deduction or cross-referencing.

Two-layer structure: Article 6(1) and Article 9(2) both required

Satisfying an Article 9(2) condition is necessary but not sufficient. The controller must also identify a lawful basis under Article 6(1). As the EDPB states in Guidelines 1/2024 on legitimate interests (paragraph 47, footnote 47), "meeting the conditions laid down in Article 9(2) GDPR does not automatically fulfil the conditions of Article 6(1)(f) GDPR. If this legal basis for processing is to be used, the controller must satisfy the requirements of both GDPR provisions when it processes special categories of personal data." In practice, this means that processing health data for direct marketing requires both a valid Article 6(1) basis (often consent or legitimate interests) and an Article 9(2) condition (most commonly explicit consent under Article 9(2)(a)). The controller must document both layers and cannot swap between bases after processing begins.

The ten conditions — Article 9(2)

Article 9(2) provides that the prohibition in paragraph 1 shall not apply if one of the following applies:

Article 9(2)(a) — Explicit consent. The data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition may not be lifted by the data subject. "Explicit consent" is a higher standard than the consent required under Article 6(1)(a): it requires a clear affirmative statement (oral or written), not merely implied from conduct. The EDPB emphasizes in Guidelines 03/2020 on health data and scientific research that explicit consent must meet all the requirements of Articles 4(11) and 7 GDPR—freely given, specific, informed, unambiguous—and cannot be inferred from silence, pre-ticked boxes, or inactivity. Consent is inappropriate where there is a clear imbalance of power, such as employer–employee relationships (Recital 43 GDPR).

Article 9(2)(b) — Employment, social security, and social protection law. Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject.

Article 9(2)(c) — Vital interests. Processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent. This is an emergency basis; the EDPB's Guidelines 3/2019 on video devices (paragraph 46 and Example 17) emphasize that it applies only where the data subject cannot consent and no other legal basis is available—for example, a hospital monitoring an unconscious patient's health condition.

Article 9(2)(d) — Legitimate activities of certain bodies. Processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects.

Article 9(2)(e) — Data manifestly made public by the data subject. Processing relates to personal data which are manifestly made public by the data subject. The EDPB has stressed in Guidelines 3/2019 on video devices (paragraph 48) that the mere fact of appearing in public—for example, entering the range of a camera while wearing religious attire or using a wheelchair—does not imply that the data subject intends to make special-category data public. "Manifestly" requires deliberate publication by the data subject herself.

Article 9(2)(f) — Legal claims. Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.

Article 9(2)(g) — Substantial public interest. Processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject. Member State law must define what constitutes "substantial public interest" and impose additional safeguards; blanket reliance on this provision without a specific legal basis is impermissible. The EDPB notes in Guidelines 03/2020 on health data and scientific research (paragraph 24 and footnote 13) that Article 9(2)(g), (i), and (j) all require a foundation in Union or Member State law and must be proportionate and include specific safeguards.

Article 9(2)(h) — Health or social care. Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3 (professional secrecy obligations). Recital 53 emphasizes that processing for health-related purposes should be carried out by or under the responsibility of a professional subject to the obligation of professional secrecy.

Article 9(2)(i) — Public health. Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy.

Article 9(2)(j) — Archiving, research, and statistics. Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject. The EDPB clarifies in Guidelines 1/2026 on scientific research (paragraph 33 and following) that controllers relying on this provision must implement the Article 89(1) safeguards—technical and organisational measures to respect data minimisation, including pseudonymisation where possible—and that Member State law may permit further processing for research without fresh consent only where those safeguards are in place.

Article 9(4) — Member State derogations

Article 9(4) permits Member States to maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health. Recital 53 clarifies that this should not hamper the free flow of personal data within the Union when those conditions apply to cross-border processing. Controllers operating across multiple Member States must map national derogations; some Member States impose age-of-consent thresholds or mandatory DPO appointment for health-data processing beyond the GDPR baseline.

Biometric data — "for the purpose of uniquely identifying"

Recital 51 and EDPB Guidelines 3/2019 on video devices (paragraphs 79–81) clarify that the processing of photographs is not systematically considered processing of special categories of personal data. Biometric data falls under Article 9(1) only when it is processed "for the purpose of uniquely identifying a natural person" through specific technical means (facial recognition, fingerprint matching). Capturing an image that happens to show someone's face is not Article 9 processing unless the controller deploys identification technology.

Enforcement and fine tier

Infringement of Article 9 falls under the higher administrative fine tier: up to €20 million or 4 % of total worldwide annual turnover, whichever is higher (Article 83(5)(a)). The European Data Protection Board coordinates enforcement posture through the consistency mechanism (Article 63).

Source: Regulation (EU) 2016/679 (GDPR), Article 9 Source: EDPB Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR (legitimate interests) Source: EDPB Guidelines 3/2019 on processing of personal data through video devices Source: EDPB Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak Source: EDPB Guidelines 1/2026 on processing of personal data for scientific research

Article 7 GDPR imposes four operational requirements that controllers must satisfy when relying on consent under Article 6(1)(a) or explicit consent under Article 9(2)(a). The EDPB Guidelines 05/2020 on consent emphasize that consent is not merely a tick-box exercise but a lawful basis that requires demonstrable proof, clear presentation, easy withdrawal, and genuine freedom from conditionality. The CJEU's judgment in Planet49 (C-673/17, 1 October 2019) confirmed that pre-ticked checkboxes fail the Article 7 standard because they do not constitute an "unambiguous indication" of the data subject's wishes under Article 4(11).

Article 7(1) — Burden of proof: controller must demonstrate consent

Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data. The burden of proof rests on the controller, not the data subject. The EDPB Guidelines 05/2020 state (paragraph 61) that "it is up to the controller to prove that valid consent was obtained from the data subject." The GDPR does not prescribe the technical means for demonstrating consent, but the EDPB emphasizes that controllers must be able to produce evidence showing that a specific data subject consented at a specific time to a specific processing operation. Common methods include timestamped logs of consent interactions, recordings of the exact wording shown to the data subject, and version control of privacy notices and consent banners. The obligation to demonstrate consent exists for as long as the processing activity continues; after processing ends, proof of consent must be retained only as long as necessary for compliance with a legal obligation or for the establishment, exercise, or defense of legal claims (Articles 17(3)(b) and (e)).

Article 7(2) — Presentation: distinguishable, intelligible, and plain language

If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding. This provision applies when consent is bundled with other contractual terms (e.g., terms of service, purchase agreements). The EDPB Guidelines 05/2020 (paragraph 47) clarify that "clearly distinguishable" requires visual and textual separation: the consent request must not be buried in a wall of text but must stand out, for example through headings, separate boxes, or distinct formatting. "Intelligible and easily accessible" means the request must be understandable to the average data subject in the target audience; technical jargon, double negatives, and complex sentence structures defeat this requirement. The final sentence of Article 7(2) provides that any clause that infringes the GDPR (for example, a clause purporting to waive the right to withdraw consent, or a clause requiring consent for processing that would otherwise be unlawful) is void and unenforceable.

Article 7(3) — Right to withdraw: as easy as to give

The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent. Withdrawal must be genuinely available at any moment, and the mechanism must be as simple as the mechanism used to obtain consent. The EDPB Guidelines 05/2020 (paragraph 64) state that "if consent is given by ticking a box when visiting an internet website, then it should be possible to withdraw consent just as easily (and there should be a box to tick to withdraw consent provided directly on the website)." A one-click "Accept All" button coupled with a multi-step withdrawal process hidden in account settings violates Article 7(3). The second sentence clarifies that withdrawal is not retroactive: processing carried out before withdrawal remains lawful, and the controller is not obliged to delete data if another lawful basis applies to that past processing. However, after withdrawal the controller must cease processing unless it can identify a different lawful basis under Article 6(1) (e.g., legitimate interests, legal obligation). The third sentence imposes a transparency requirement: before obtaining consent, the controller must inform the data subject of the right to withdraw and how to exercise it. This information must be provided as part of the Article 13 or 14 transparency obligations.

Article 7(4) — Prohibition on conditioning service on non-necessary consent

When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract. This provision codifies the prohibition on "consent bundling" or "forced consent." Consent is not freely given if access to a service is made conditional on consent to processing that is not objectively necessary for that service. The EDPB Guidelines 2/2019 on processing under Article 6(1)(b) clarify what "necessary for the performance of a contract" means: the processing must be objectively indispensable to deliver the core service. Behavioural advertising, analytics for product improvement, and cross-device tracking are generally not necessary for contract performance unless they form the essence of the bargain (e.g., a free-with-ads service where the ad funding model is transparent and the user has a genuine choice). The EDPB Opinion 08/2024 on valid consent in the context of "consent or pay" models applied Article 7(4) to large online platforms: "consent or pay" models can satisfy the GDPR only if the paid alternative is equivalent in functionality, if the price differential is proportionate, and if users retain a genuine choice. Tying access to the entire service to consent for all processing purposes—when those purposes are separable—creates unlawful conditionality. Recital 43 reinforces this principle: "Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance."

Interaction with ePrivacy and cookies

The CJEU held in Planet49 (C-673/17) that consent for the storage of cookies under Article 5(3) of the ePrivacy Directive (Directive 2002/58/EC) must meet the Article 4(11) and Article 7 GDPR standards. A pre-ticked checkbox does not constitute valid consent because it does not represent an "unambiguous indication" of the data subject's wishes: the user must take affirmative action (click, swipe, or speak) to signal agreement. This applies regardless of whether the cookies store personal data; the ePrivacy Directive protects the user's terminal equipment from interference, and GDPR consent standards apply by cross-reference (Article 2(f) ePrivacy Directive, as interpreted in Planet49 paragraph 62).

Fine tier

Infringement of Article 7 falls under the higher administrative fine tier: up to €20 million or 4 % of total worldwide annual turnover, whichever is higher (Article 83(5)(a)). Leading enforcement decisions include the CNIL's decisions against Google (€90 million, December 2020) and Amazon (€35 million, December 2020) for cookie-banner violations, including the failure to provide an easy "Reject All" button and the use of pre-ticked consent checkboxes.

Source: Regulation (EU) 2016/679 (GDPR), Article 7 Source: EDPB Guidelines 05/2020 on consent under Regulation 2016/679 Source: CJEU judgment in Bundesverband der Verbraucherzentralen und Verbraucherverbände v Planet49, C-673/17, 1 October 2019 Source: EDPB Opinion 08/2024 on valid consent in the context of consent or pay models

Article 10 GDPR establishes a distinct prohibition on processing personal data relating to criminal convictions and offences or related security measures, separate from and in addition to the Article 9 prohibition on special-category data. Processing of this category of data may be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority. Article 10 sits alongside Article 6(1) and (where applicable) Article 9: a controller processing data about criminal convictions must identify a lawful basis under Article 6(1) and must satisfy the Article 10 condition. This cumulative requirement (Article 6(1) + Article 10, or Article 6(1) + Article 9 + Article 10 where special-category data is also involved) is often misunderstood by controllers who assume that satisfying one provision suffices.

Scope — What falls under Article 10

Article 10 applies to personal data relating to criminal convictions and offences or related security measures. The text does not define these terms in detail. In the pending CJEU case NADA Austria and Others (C‑474/24), the Advocate General's Opinion (delivered 25 September 2025, not yet ruled on by the Court) analysed whether the term "criminal" is interpreted autonomously under EU law or by reference to national classifications. The Advocate General concluded that Article 10 "reserves such enhanced protection for criminal offences alone" and noted that it may apply to the keeping of registers of criminal convictions and offences by private bodies, for example in the context of combatting money laundering, the activities of forensic laboratories, or vehicle hire companies that identify drivers who have infringed road traffic regulations. This analysis is persuasive but not binding; the CJEU's judgment may adopt a different interpretation.

In Latvijas Republikas Saeima (C‑439/19), a preliminary reference asked whether penalty points for road traffic offences fell under Article 10. The Advocate General's Opinion (delivered 17 December 2020) analysed whether administrative penalty points constitute criminal sanctions by reference to the criteria developed by the European Court of Human Rights (the Engel test: legal classification, the nature of the offence, and the severity of the penalty). The Opinion suggested that not every administrative sanction is a criminal offence for Article 10 purposes, and that the severity and punitive character of the measure are decisive. Again, this is an Advocate General's Opinion, not a binding CJEU judgment; the Court has not yet delivered a definitive ruling on the autonomous interpretation of "criminal convictions and offences" under Article 10.

The two permitted conditions

Article 10 permits processing only if one of two conditions is satisfied:

1. Under the control of official authority. Processing is carried out under the direct supervision of a public body exercising official public-authority functions. The "control" requirement is strict: it is not enough for a private controller to report the data to a public authority after processing; the public authority must exercise ongoing supervision over the processing itself. This condition typically applies to law-enforcement agencies, judicial authorities, and public bodies maintaining official criminal registers.

2. Authorised by Union or Member State law providing for appropriate safeguards. Processing by a private controller (or a public controller not exercising official-authority functions in relation to the processing) is lawful only if a specific EU or Member State law authorises it and lays down appropriate safeguards for the rights and freedoms of data subjects. The law must specify the purposes of the processing, the categories of data, and the safeguards (such as access controls, retention limits, and data-subject rights). Generic references to "compliance with legal obligations" do not satisfy Article 10; the authorising law must be sufficiently clear and specific. Examples of authorising laws include anti-money-laundering directives requiring customer due diligence (which may involve screening against sanctions and criminal-offence databases), employment laws permitting background checks for certain roles (e.g., working with vulnerable persons), and sector-specific regulations (e.g., aviation security, financial-services licensing).

Comprehensive registers — official-authority monopoly

The second sentence of Article 10 provides that any comprehensive register of criminal convictions shall be kept only under the control of official authority. This creates a monopoly for official authorities: private controllers may not maintain comprehensive criminal-conviction databases, even if authorised by Member State law. The GDPR does not define "comprehensive register," and the CJEU has not yet ruled on the distinction between a comprehensive register and a more limited processing operation. As a practical matter, a register is likely "comprehensive" if it aims for completeness across a population or jurisdiction, rather than being limited to a narrow business purpose (e.g., a background check on a specific job applicant). National criminal-records databases operated by ministries of justice or police authorities are paradigmatic comprehensive registers and must remain under official control.

Interaction with Article 6(1) and Article 9

Article 10 is a threshold condition, not a lawful basis. A controller relying on Article 10 must also identify a valid Article 6(1) lawful basis. In practice:

• Official-authority controllers typically rely on Article 6(1)(c) (legal obligation) or Article 6(1)(e) (public task). The same Member State law that satisfies Article 10 will usually also satisfy Article 6(1)(c) or (e).
• Private controllers typically rely on Article 6(1)(c) (where the authorising law imposes a mandatory obligation, such as anti-money-laundering customer due diligence) or Article 6(1)(f) (legitimate interests, where the law permits but does not mandate the processing and the controller can demonstrate a balancing of interests). Consent under Article 6(1)(a) is possible in theory but problematic in practice because of the power imbalance inherent in background checks and the difficulty of showing that consent is freely given.

If the data also falls under Article 9(1) — for example, information about a criminal conviction that reveals racial or ethnic origin, political opinions, or health status — the controller must satisfy an Article 9(2) condition in addition to Article 6(1) and Article 10. The GDPR text and structure indicate that all three provisions must be satisfied, though the CJEU has not yet ruled on the specific interaction.

Practical application — common use cases

Background checks. Employers and other organisations conducting pre-employment or volunteer background checks must identify a Member State law that authorises the processing and lays down safeguards. Many Member States have enacted laws permitting or requiring criminal-record checks for roles involving work with children, vulnerable adults, or positions of trust (e.g., financial services, aviation security). The controller must verify that the check is authorised by law, that it is proportionate (limited to relevant offences and time periods), and that it complies with the safeguards in the authorising law (such as obtaining the data subject's written consent to request the check from the official authority, notifying the data subject of the result, and limiting retention to the period necessary for the hiring decision).

Anti-money laundering and sanctions screening. EU anti-money-laundering directives (Directive (EU) 2015/849 as amended) require obliged entities (banks, payment institutions, lawyers, accountants, and others) to conduct customer due diligence, including screening against sanctions lists and, where risk is elevated, checking for criminal convictions related to financial crime. This processing is authorised by EU law (transposed into Member State law) and falls within the Article 10 "authorised by Union or Member State law" condition. The obliged entity must document the lawful basis (typically Article 6(1)(c) legal obligation) and the Article 10 condition, and must apply the safeguards in the AML framework (such as data minimisation, purpose limitation, and deletion once the business relationship ends).

Credit reference agencies and fraud prevention. Some Member States permit credit reference agencies or fraud-prevention bodies to process data about criminal convictions for fraud, subject to specific safeguards. The processing must be authorised by national law that meets the Article 10 standard (specifying purposes, categories of data, retention periods, access controls, and data-subject rights). In the absence of such a law, processing criminal-conviction data for creditworthiness assessment or fraud scoring is unlawful under Article 10.

Enforcement and fine tier

Infringement of Article 10 falls under the higher administrative fine tier: up to €20 million or 4 % of total worldwide annual turnover, whichever is higher (Article 83(5)(a)). The European Data Protection Board coordinates enforcement posture through the consistency mechanism (Article 63). Supervisory authorities have issued corrective measures and fines in cases where controllers processed criminal-conviction data without a valid Article 10 condition, often bundling Article 10 violations with Article 5(1)(a) (lawfulness, fairness, transparency) and Article 6(1) (lack of lawful basis) violations.

Cross-border divergence — Member State authorising laws

Unlike Article 9, Article 10 does not contain an explicit Member State derogation clause. However, the second condition ("authorised by Union or Member State law") inherently produces cross-border divergence because Member States have enacted different authorising laws. For example:

• Employment background checks: Some Member States require criminal-record checks for certain roles (e.g., teaching, healthcare, childcare) and provide a statutory framework; others prohibit employers from requesting criminal-record data except in narrowly defined cases; still others leave it to sector-specific regulation.
• Spent convictions: Member States apply different rehabilitation periods and "spent conviction" rules. Some Member State laws require that spent convictions be disregarded or not disclosed in background checks; others permit disclosure for certain purposes.
• Private registers: A few Member States have enacted laws permitting industry-specific registers (e.g., financial-services fraud databases, tenant-screening databases) subject to safeguards; most have not, meaning that such registers are unlawful in the absence of specific authorisation.

Controllers operating across multiple Member States must map the national laws in each jurisdiction where they process criminal-conviction data. A processing operation lawful in one Member State (because authorised by that State's law) may be unlawful in another Member State that has not enacted equivalent authorisation.

Source: Regulation (EU) 2016/679 (GDPR), Article 10 Source: Opinion of Advocate General in CJEU Case C‑474/24, NADA Austria and Others, delivered 25 September 2025 (pending; not binding) Source: Opinion of Advocate General in CJEU Case C‑439/19, Latvijas Republikas Saeima, delivered 17 December 2020 (persuasive but not binding)

Article 8 GDPR sets a mandatory age threshold for children's consent when processing is based on Article 6(1)(a) (consent) and the offer of information society services is made directly to a child. The processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years (Article 8(1)). Article 8 thus creates a harmonised EU floor of 13 years with a default threshold of 16, subject to national derogation downward. The controller must make reasonable efforts to verify that consent is given or authorised by the holder of parental responsibility, taking into consideration available technology (Article 8(2)).

Scope — Article 8 applies only to consent for information society services offered directly to a child

Article 8(1) applies "where point (a) of Article 6(1) applies, in relation to the offer of information society services directly to a child." This creates three cumulative conditions:

1. The lawful basis is Article 6(1)(a) consent. If processing relies on a different lawful basis under Article 6(1) — contract (b), legal obligation (c), vital interests (d), public task (e), or legitimate interests (f) — Article 8 does not apply and the controller does not need parental consent. The EDPB emphasises in Guidelines 05/2020 on consent (paragraph 115) that Article 8 is triggered only when the controller chooses consent as the lawful basis; it does not impose a general requirement that all processing of children's data must be based on parental consent. However, Recital 38 GDPR makes clear that children merit specific protection because they may be less aware of the risks, consequences, and safeguards concerned and their rights in relation to the processing of personal data. Controllers relying on other lawful bases must still consider children's vulnerability when conducting the legitimate-interests balancing test under Article 6(1)(f) or when designing transparent information under Articles 13 and 14.

2. The service is an "information society service." Article 4(25) GDPR cross-references the definition in Directive (EU) 2015/1535, Article 1(1)(b): a service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services. This encompasses websites, apps, social networks, online games, streaming services, and cloud storage platforms. The EDPB clarifies in Guidelines 05/2020 (paragraph 116) that the concept of "information society service" is broad and includes services that do not charge a monetary fee but are funded by advertising or data monetisation (e.g., free-with-ads social networks). The ePrivacy Directive (Directive 2002/58/EC) uses the same definition, so cookies and tracking mechanisms deployed by information society services trigger both GDPR consent requirements and ePrivacy consent requirements, with Article 8 age thresholds applying to both.

3. The service is offered "directly to a child." The EDPB states in Guidelines 05/2020 (paragraph 117) that a service is offered directly to a child if it is obviously addressed to children, for example because of the design, language, content, or marketing of the service. If a service is clearly targeted at adults but a child happens to use it, Article 8 does not apply unless the controller knows or should know that the user is a child. If a service is designed for a general audience including both adults and children, the EDPB takes the view that Article 8 applies to child users: the controller must implement age-verification mechanisms and obtain parental consent for users below the threshold. The EDPB notes (paragraph 118) that this interpretation aligns with Recital 38, which states that Article 8 applies "in order to enhance the protection of children."

The age threshold — 16 by default, Member State derogation to 13

Article 8(1) establishes a default threshold of 16 years. A child who is 16 or older can give valid consent for the processing of their personal data in the context of information society services offered directly to them; the controller does not need parental consent. For children below 16, consent must be given or authorised by the holder of parental responsibility. Member States may provide by law for a lower age, but not below 13 years. The EDPB notes in Guidelines 05/2020 (paragraph 119) that Member States have exercised this derogation and that the resulting thresholds vary across the Union, ranging from 13 to 16. The controller offering services across multiple Member States must apply the threshold of the Member State where the child is habitually resident. The EDPB acknowledges (paragraph 120) that multi-jurisdictional compliance is operationally challenging and recommends that controllers adopt the highest threshold (16) if they cannot reliably determine the user's location — though this is a recommendation, not a legal requirement.

Unable to confirm Member State–by–Member State age thresholds as of 2026-06-01.

Parental consent — "given or authorised by the holder of parental responsibility"

Where the child is below the applicable age threshold, Article 8(1) requires that consent be "given or authorised by the holder of parental responsibility over the child." The GDPR does not define "holder of parental responsibility"; Member State family law determines who has parental responsibility (typically parents, legal guardians, or, in some cases, the child-welfare authority). The EDPB clarifies in Guidelines 05/2020 (paragraph 122) that "given or authorised" means the parent may either give the consent themselves (e.g., by creating the child's account and ticking the consent box) or authorise the child to give consent on the parent's behalf (e.g., by providing the child with a parental access code or confirming the child's consent request via email). The key requirement is that the controller must obtain demonstrable proof that the parent was involved in the consent decision. Merely asking the child to confirm that they have parental permission does not satisfy Article 8; the controller must implement a mechanism that provides a reasonable level of assurance that the person giving or authorising consent is actually the parent.

Reasonable efforts to verify parental consent — Article 8(2)

Article 8(2) imposes a verification obligation: "The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology." The GDPR does not prescribe a specific age-verification or parental-verification method. The EDPB states in Guidelines 05/2020 (paragraph 124) that "reasonable efforts" is a proportionality test: the verification measures must be appropriate to the risks of the processing and the state of the art in age-verification technology. Low-risk processing (e.g., a children's educational game that collects only a username and high scores) may satisfy Article 8(2) with a simple parental-email confirmation loop (the child enters an email address, the controller sends a verification link to that address, and the parent clicks to confirm). Higher-risk processing (e.g., a social network that collects location data, contact lists, and deploys profiling for behavioural advertising) requires more robust verification. The EDPB cites (paragraph 124) examples including credit-card or payment-method verification, government-issued ID upload and automated or manual identity verification, and soft identifiers combined with knowledge-based authentication. The EDPB emphasises (paragraph 125) that the controller must document the rationale for the chosen verification method and must be able to demonstrate compliance with Article 8(2) to the supervisory authority. The "taking into consideration available technology" phrase in Article 8(2) means that controllers must periodically review and update their verification methods as technology evolves; a method that was state-of-the-art in 2018 may no longer be reasonable in 2026.

Interaction with Article 9 special-category data

If the processing involves special-category data under Article 9(1) (e.g., health data, biometric data for unique identification, data revealing religious or philosophical beliefs), the controller must satisfy both Article 8 and Article 9. Article 8 governs the consent threshold for the Article 6(1)(a) lawful basis; Article 9(2)(a) requires explicit consent as the condition for lifting the prohibition on special-category processing. Both consents must be obtained — and if the child is below the Article 8 age threshold, the explicit consent under Article 9(2)(a) must also be given or authorised by the parent. The EDPB notes in Guidelines 05/2020 (paragraph 127) that a single consent request may satisfy both Article 8 and Article 9(2)(a) if it is sufficiently clear, specific, and informed, but the controller must separately document compliance with both provisions.

Preventive or counselling services — Recital 38 guidance

Recital 38 GDPR states: "The consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child." This creates a narrow exception: if the service is a preventive or counselling service (e.g., sexual-health advice, mental-health counselling, substance-abuse helplines, domestic-violence support), the controller may process the child's personal data on the basis of the child's own consent without involving the parent, even if the child is below the Article 8 age threshold. The rationale is child protection: requiring parental involvement in these contexts could deter children from seeking help in situations where the parent is part of the problem (abuse, family conflict). However, Recital 38 is a recital, not an operative article, and does not itself create enforceable rights; Member State law may impose additional conditions or limitations. Controllers relying on the preventive-or-counselling exception must document how the service falls within that category and should consider whether another lawful basis (e.g., vital interests under Article 6(1)(d) if the child's health or safety is at stake) may be more appropriate.

Enforcement and fine tier

Infringement of Article 8 falls under the higher administrative fine tier: up to €20 million or 4 % of total worldwide annual turnover, whichever is higher (Article 83(5)(a)). The EDPB coordinates enforcement through the consistency mechanism (Article 63). Supervisory authorities have issued enforcement decisions against controllers that failed to implement effective age-verification or parental-consent mechanisms, often bundling Article 8 violations with Article 5(1)(a) (fairness, lawfulness), Article 7 (conditions for consent), and Article 25 (data protection by design and by default) violations.

Source: Regulation (EU) 2016/679 (GDPR), Article 8 Source: EDPB Guidelines 05/2020 on consent under Regulation 2016/679

Article 8 GDPR establishes a special consent regime for the processing of children's personal data when the controller offers information society services directly to a child and relies on consent under Article 6(1)(a) as the lawful basis. The default rule is that a child may give valid consent at age 16 or above; below that age, consent must be given or authorised by the holder of parental responsibility. Member States may lower the age threshold by law to no less than 13 years. Article 8 operates as a mandatory overlay on Article 6(1)(a) consent in this specific context—it does not displace the Article 7 conditions (burden of proof, withdrawal, conditionality) but adds the age and parental-consent requirements. The EDPB Guidelines 05/2020 on consent (paragraphs 118–124) clarify the scope and application of Article 8.

Scope — "offer of information society services directly to a child"

Article 8(1) applies when three conditions are met: (1) the lawful basis is consent under Article 6(1)(a), (2) the controller offers an information society service, and (3) the service is offered "directly to a child." Information society services are defined by reference to Directive (EU) 2015/1535 Article 1(1)(b) (formerly Directive 98/34/EC): services normally provided for remuneration, at a distance, by electronic means, and at the individual request of a recipient. The definition is technology-neutral and covers websites, apps, social media platforms, online gaming, cloud services, streaming platforms, and e-commerce. The EDPB Guidelines 05/2020 (paragraph 119) note that the term is broad and includes most online services; the crucial limitation is "offered directly to a child."

"Directly to a child" means the service is intentionally targeted at or clearly intended for use by children, assessed objectively by reference to the controller's design choices, marketing, terms of service, and content. A general-audience service that happens to have some child users does not fall within Article 8 unless the controller markets it to children, designs age-specific features, or otherwise makes clear that children are the intended audience. Recital 38 GDPR provides context: "Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child." The EDPB emphasizes that Article 8 is intended to protect children from exploitation in contexts where they are the primary users or where the controller has designed the service with children in mind.

If the service is not offered directly to a child—for example, a general e-commerce site or a B2B platform—Article 8 does not apply even if some users are children. If the lawful basis is not consent (e.g., Article 6(1)(b) contract, Article 6(1)(f) legitimate interests), Article 8 likewise does not apply, though Recital 38 and the principle of fairness under Article 5(1)(a) still require heightened protection for children's data generally. The EDPB Guidelines 1/2024 on legitimate interests (paragraph 93) note that when processing children's data under Article 6(1)(f), "the provision must be interpreted in light of the UN Convention on the Rights of the Child" and the balancing test must give substantial weight to the child's interests and reasonable expectations.

Age threshold — 16 years default, Member State range 13–16

Article 8(1) sets the default threshold at 16 years. A child who is at least 16 years old may give consent under Article 6(1)(a) for the processing of personal data in relation to an information society service offered directly to them; no parental involvement is required. Where the child is below 16 years, processing is lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.

Member State derogation. Article 8(1), final sentence, provides: "Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years." Each Member State may legislate a threshold anywhere in the range 13–16 inclusive. Member States have exercised this discretion and enacted thresholds across the permitted range. The European Commission's 2024 GDPR evaluation report (COM(2024) 357 final) notes that "stakeholders report encountering difficulties arising from fragmentation in national rules where Member States have the possibility to specify the GDPR, in particular concerning: the minimum age for a child's consent in relation to the offer of information society services to this child." Controllers operating across multiple Member States must map the applicable threshold in each jurisdiction where they offer services directly to children. The EDPB has not published a comprehensive official register of Member State age thresholds; controllers must consult each Member State's national data-protection law to determine the applicable age.

Parental consent — "given or authorised by the holder of parental responsibility"

Where the child is below the applicable age threshold, consent must be given or authorised by the holder of parental responsibility over the child. "Holder of parental responsibility" is not defined in the GDPR; it is determined by the applicable national family law (which may vary by Member State). Typically, this means a parent or legal guardian. The phrase "given or authorised" indicates that the parent may either give consent directly (the parent interacts with the controller's consent mechanism) or authorise the child to give consent (the parent approves the child's expression of consent, for example through a parental-control dashboard or a verification code). The EDPB Guidelines 05/2020 (paragraph 122) clarify that in either case, the controller must have a mechanism for obtaining and recording parental involvement and must be able to demonstrate that consent was given or authorised by the parent, consistent with the Article 7(1) burden of proof.

All Article 7 conditions apply to parental consent. Consent given by a parent on behalf of a child must be freely given, specific, informed, and unambiguous (Article 4(11)). The parent must be provided with the same information required under Articles 13 or 14 (identity of the controller, purposes of processing, categories of data, retention period, rights to withdraw, etc.), presented in clear and plain language. The parent must have the right to withdraw consent at any time, and withdrawal must be as easy as giving consent (Article 7(3)). The prohibition on conditioning service on non-necessary consent (Article 7(4)) applies: a controller may not refuse to provide a service to a child unless the parent consents to processing that is not objectively necessary for that service.

Article 8(2) — "Reasonable efforts to verify"

Article 8(2) imposes a verification obligation but does not prescribe the method. "The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology." The standard is reasonable efforts, not absolute certainty. The GDPR does not mandate a specific age-verification or parental-verification technology; the EDPB Guidelines 05/2020 (paragraph 123) state that "what is 'reasonable' will depend on the risks inherent in the processing as well as the available technology." For low-risk processing (e.g., a simple newsletter signup), a declaration by the parent or a confirmation email to a parent-provided address may suffice. For high-risk processing (e.g., geolocation tracking, profiling, or creation of a publicly visible profile), more robust verification may be required, such as double opt-in with parental ID verification, video verification, or payment-card authorization (on the theory that a payment card is likely held by an adult). The EDPB emphasizes that controllers must document their assessment of the risks and the verification method chosen, and must be able to demonstrate compliance with Article 8(2).

The EDPB has cautioned against verification methods that themselves create privacy risks. For example, requiring upload of a parent's identity document or biometric verification may involve excessive processing of the parent's personal data unless strictly necessary and proportionate. Controllers should apply data minimization (Article 5(1)(c)) and purpose limitation (Article 5(1)(b)): verification data should be used only for the purpose of verifying parental consent and should not be retained longer than necessary for that purpose or repurposed for marketing or profiling.

Article 8(3) — Savings clause for contract law

Article 8(3) provides: "Paragraph 1 shall not affect the general contract law of Member States such as the rules on the validity, formation or effect of a contract in relation to a child." This is a savings clause: Article 8 governs when a child may consent to data processing under the GDPR, but it does not harmonise or override national contract-law rules on a child's capacity to enter into a contract. A child who is old enough to consent to data processing under Article 8 may nonetheless lack capacity to enter into a binding contract under national contract law. Conversely, a child who has contractual capacity under national law may still require parental consent for data processing under Article 8 if the controller relies on Article 6(1)(a) consent.

This decoupling can create practical challenges. If the controller relies on Article 6(1)(b) (contract) as the lawful basis, Article 8 does not apply by its terms (since Article 8(1) applies only "where point (a) of Article 6(1) applies"). However, the controller must still assess whether the child has capacity to enter into the contract under national contract law. If the child lacks such capacity, the contract may be void or voidable, which in turn means Article 6(1)(b) cannot be satisfied (processing is not necessary for the performance of a contract if no valid contract exists). The EDPB Guidelines 2/2019 on Article 6(1)(b) (paragraph 56 and footnote 40) note that "the concept of necessity has an autonomous meaning under EU data protection law" but that controllers must also consider national contract-law capacity rules when relying on Article 6(1)(b) for processing children's data.

Preventive or counselling services — Recital 38 exception

Recital 38 states: "The consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child." This is not codified in the Article 8 operative text, but Recitals are interpretive aids and reflect the legislator's intent. The exception recognises that requiring parental consent for certain sensitive services—such as mental-health counselling, sexual-health advice, substance-abuse support, or reporting of abuse—could deter children from seeking help and may conflict with the child's autonomy and welfare. Controllers offering such services should document the basis for invoking the Recital 38 exception and should apply heightened safeguards (transparency tailored to the child's understanding, easy withdrawal, no secondary uses of the data) to ensure the processing remains fair and lawful under Article 5(1)(a).

Interaction with Article 9 special-category data

Article 8 does not displace Article 9. If the processing involves special-category data (health data, biometric data for unique identification, etc.), the controller must satisfy both an Article 6(1) lawful basis and an Article 9(2) condition. For children's health data processed for a counselling service, the controller might rely on Article 6(1)(a) consent plus Article 9(2)(a) explicit consent. If Recital 38 applies (preventive or counselling services), parental consent may not be required under Article 8, but the controller must still obtain the child's own explicit consent under Article 9(2)(a) and must assess whether the child has sufficient maturity to give informed explicit consent to processing of special-category data. The EDPB has not published specific guidance on this interaction, but the principle of fairness under Article 5(1)(a) requires that controllers do not exploit children's lack of awareness when seeking explicit consent for sensitive processing.

Enforcement and fine tier

Infringement of Article 8 (failure to obtain parental consent where required, or failure to make reasonable verification efforts) falls under the higher administrative fine tier: up to €20 million or 4 % of total worldwide annual turnover, whichever is higher (Article 83(5)(a)). Supervisory authorities have brought enforcement actions against social-media platforms, gaming services, and ed-tech providers for failures to implement effective age-gating and parental-consent mechanisms. The EDPB's binding decision 2/2023 on TikTok Technology Limited (adopted 2 August 2023) addressed, among other issues, the platform's processing of children's data and consent practices, and the Irish DPC subsequently imposed a €345 million administrative fine (September 2023). National supervisory authorities have similarly issued decisions addressing Article 8 compliance in contexts ranging from children's apps to online gaming.

Source: Regulation (EU) 2016/679 (GDPR), Article 8 Source: GDPR Recital 38 Source: EDPB Guidelines 05/2020 on consent under Regulation 2016/679 Source: EDPB Guidelines 2/2019 on processing under Article 6(1)(b) GDPR Source: EDPB Guidelines 1/2024 on processing based on Article 6(1)(f) GDPR (legitimate interests) Source: European Commission Report COM(2024) 357 final on the application of Regulation (EU) 2016/679