When does GDPR require explicit consent vs ordinary consent?

Article 6(1)(a) refers to consent for ordinary personal-data processing — defined in Article 4(11) as any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement. Article 9(2)(a) requires explicit consent for the processing of special categories of data; Article 22(2)(c) requires explicit consent as one of the exceptions to the Article 22(1) right; Article 49(1)(a) requires explicit consent for international transfers under that derogation. 'Explicit' adds the requirement of an express statement of consent — a confirmatory written or electronic statement, an oral statement recorded, or a clear and granular affirmative action distinct from ordinary consent.

What is the difference between Article 13 and Article 14 information duties?

Article 13 applies when personal data are collected from the data subject — the information must be provided at the time when the data are obtained. Article 14 applies when personal data have not been obtained from the data subject — the information must be provided within a reasonable period after obtaining the data and at the latest within one month (Article 14(3)). Article 14 has exemptions (Article 14(5)) where, for example, the data subject already has the information, provision proves impossible or would involve a disproportionate effort (particularly for archiving / research / statistical purposes subject to safeguards), or obtaining or disclosure is expressly laid down by Union or Member State law. Both Articles require disclosure of the existence of automated decision-making (Article 13(2)(f) / Article 14(2)(g)), including profiling, and meaningful information about the logic involved and the significance and envisaged consequences.

How does the GDPR Article 22 right interact with the EU AI Act?

Article 22 GDPR is a right of the data subject not to be subject to a decision based solely on automated processing producing legal or similarly significant effects, subject to the Article 22(2) exceptions and Article 22(3) safeguards. Article 14 of the EU AI Act is a provider-side design obligation requiring high-risk AI systems to be designed and developed in such a way that they can be effectively overseen by natural persons during the period the AI system is in use. The two duties are distinct: Article 22 GDPR is a data subject right exercisable against a controller; Article 14 EU AI Act is a design obligation on the high-risk-AI provider. Compliance with one does not satisfy the other. Both may apply simultaneously to the same AI-driven decision.

GDPR Principles, Rights, and Lawful Basis — Articles 5, 6, 9, 12–22

Q: What are the six GDPR principles in Article 5?

Article 5(1) sets out six principles for the processing of personal data: (a) lawfulness, fairness and transparency; (b) purpose limitation; (c) data minimisation; (d) accuracy; (e) storage limitation; (f) integrity and confidentiality. Article 5(2) adds the accountability principle: the controller is responsible for, and shall be able to demonstrate compliance with, paragraph 1. Accountability is the operative bridge that turns the other six into evidence-able controls — the burden of proof for each principle sits on the controller.

Q: What are the six lawful bases in Article 6?

Article 6(1) sets out six lawful bases for processing: (a) consent of the data subject; (b) necessity for performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract; (c) necessity for compliance with a legal obligation to which the controller is subject; (d) necessity to protect the vital interests of the data subject or another natural person; (e) necessity for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (f) necessity for the purposes of the legitimate interests pursued by the controller or by a third party, except where overridden by the interests or fundamental rights and freedoms of the data subject. Lawful basis must be determined per processing purpose, not per AI system. Article 6(1)(f) legitimate interests is unavailable to public authorities in the performance of their tasks.

Q: What does Article 22 say about automated decisions?

Article 22(1) states that the data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. Article 22(2) carves out three exceptions: (a) necessary for entering into, or performance of, a contract between the data subject and a data controller; (b) authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; (c) based on the data subject's explicit consent. Article 22(3) requires the controller, where Article 22(2)(a) or (c) applies, to implement suitable measures to safeguard the data subject's rights — at least the right to obtain human intervention on the part of the controller, to express his or her point of view, and to contest the decision. Article 22(4) prohibits Article 22(2) decisions based on special categories of data under Article 9(1) unless Article 9(2)(a) or (g) applies and suitable measures are in place.

This page covers the substantive obligations that sit at the heart of GDPR: the six processing principles in Article 5, the six lawful bases in Article 6, the special-categories regime in Article 9, and the rights of the data subject in Articles 12–22. Article 22 (automated individual decision-making, including profiling) is the most legally consequential provision for AI systems and is the page's anchor.

Quick decision

AI system processes personal data → start with the Article 5 principles. Establish a lawful basis under Article 6 per processing purpose (training, inference, logging, monitoring, analytics are often different purposes with different bases).
Special categories of data (Article 9(1)) — racial / ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, health data, sex life, sexual orientation → processing prohibited unless one of the Article 9(2)(a)–(j) exceptions applies. Article 9(2)(a) explicit consent and Article 9(2)(g) substantial public interest with Union / Member State law are the most operationally relevant exceptions.
Automated decisions about natural persons with legal or similarly significant effects → Article 22(1) right applies. Plan around the three Article 22(2) exceptions (contract necessity / Union or Member State law authorisation / explicit consent) and the Article 22(3) safeguards (human intervention, express view, contest). Special-category data adds Article 22(4) restrictions.
Marketing, personalisation, or recommendations → Article 6(1)(f) legitimate interests is a candidate, but the three-prong test (purpose / necessity / balancing against data-subject rights) must be documented. Article 6(1)(a) consent is the alternative.
Data subject exercises a right → the Article 12 transparency rules apply (response within one month under Article 12(3); extension by two further months in complex cases; refusal grounds; identity verification).

TL;DR

Article 5(1)(a)–(f) sets the six principles; Article 5(2) sets accountability. Accountability is the operative bridge.
Article 6(1)(a)–(f) lists the six lawful bases. Lawful basis is decided per processing purpose, not per system.
Article 9(1) prohibits processing of special categories of data unless an Article 9(2)(a)–(j) exception applies.
Articles 12–14 transparency. Articles 15–22 rights — access (15), rectification (16), erasure (17), restriction (18), portability (20), objection (21), automated decisions (22).
Article 22 is the most-cited GDPR provision for AI: a right not to be subject to decisions based solely on automated processing producing legal or similarly significant effects, with three Article 22(2) exceptions and the Article 22(3) safeguards.
Article 22 GDPR ≠ Article 14 EU AI Act. The data-subject right and the high-risk-AI human-oversight design obligation are distinct duties.

Primary source

Regulation (EU) 2016/679 on EUR-Lex (CELEX 32016R0679) — Articles 5, 6, 9, 12–22 · EDPB-endorsed WP29 Guidelines on Automated individual decision-making and Profiling (17/EN WP251rev.01) — the operative Article 22 guidance

Article 5 — principles relating to processing of personal data

Article 5(1) sets out the six principles verbatim:

Personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

Article 5(2) sets the accountability principle:

The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).

Practical implication for AI: each principle generates an evidence requirement. "Lawfulness" requires a documented lawful-basis decision; "purpose limitation" requires a documented purpose statement and a compatibility-test record before any new purpose; "data minimisation" requires a data-map and a justification for each field; "accuracy" requires data-quality and drift-monitoring records; "storage limitation" requires a retention schedule; "integrity and confidentiality" requires Article 32 security evidence; "accountability" is the meta-principle that requires all of the above to be demonstrable.

Article 6 — lawful basis

Article 6(1) sets out the six lawful bases verbatim:

Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Two operational points for AI:

Per-purpose, not per-system. A single AI service usually processes personal data for several purposes — training, fine-tuning, inference, logging, monitoring, security, fraud detection, product analytics, model improvement. Each is a distinct processing purpose under Article 5(1)(b), and each requires its own lawful basis under Article 6(1).
Public authorities and Article 6(1)(f). The second subparagraph of Article 6(1) provides that point (f) (legitimate interests) does not apply to processing carried out by public authorities in the performance of their tasks. Public-sector AI deployments cannot rely on legitimate interests for in-task processing.

Article 6(4) sets out the compatibility test where processing for a purpose other than that for which the personal data were collected is not based on consent or on a Union or Member State law: the controller must, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia, (a) any link between the purposes; (b) the context in which the personal data were collected; (c) the nature of the personal data, in particular whether special categories are processed; (d) the possible consequences of the intended further processing; (e) the existence of appropriate safeguards (including encryption or pseudonymisation).

Article 9 — special categories of personal data

Article 9(1) prohibits the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

Article 9(2) lists ten exceptions (a)–(j) under which the Article 9(1) prohibition does not apply. The most operationally relevant for AI use cases:

Article 9(2)(a) — explicit consent for one or more specified purposes.
Article 9(2)(b) — necessity for carrying out obligations and exercising specific rights in the field of employment, social security, and social protection law.
Article 9(2)(g) — necessity for reasons of substantial public interest, on the basis of Union or Member State law.
Article 9(2)(h) — necessity for the purposes of preventive or occupational medicine, the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services.
Article 9(2)(i) — necessity for reasons of public interest in the area of public health.
Article 9(2)(j) — necessity for archiving purposes in the public interest, scientific or historical research, or statistical purposes in accordance with Article 89(1).

Article 9(4) preserves the right of Member States to maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data, or data concerning health. For AI systems that use biometric or health data, the applicable national law must be checked in addition to Article 9.

Articles 12–14 — transparency and information duties

Article 12 sets the transparency baseline: information shall be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language. Article 12(3) sets the response timeline for data subject rights requests — without undue delay and in any event within one month of receipt, extendable by two further months where necessary, taking into account the complexity and number of the requests.

Article 13 applies when personal data are collected from the data subject. Article 14 applies when personal data have not been obtained from the data subject. Both Articles require disclosure of:

the identity and contact details of the controller and, where applicable, the DPO;
the purposes of the processing and the lawful basis;
where applicable, the legitimate interests pursued (Article 6(1)(f));
the recipients or categories of recipients of the personal data;
where applicable, the fact that the controller intends to transfer personal data to a third country (with the safeguards);
the period for which personal data will be stored;
the existence of data subject rights;
the right to lodge a complaint with a supervisory authority;
the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject (Article 13(2)(f) / Article 14(2)(g)).

The Article 13(2)(f) / 14(2)(g) automated-decision disclosure is the GDPR's transparency mechanism for AI — it forces controllers to explain "meaningful information about the logic involved" and the "significance and envisaged consequences" of the automated decision-making for the data subject.

Article 14(3) sets timing for the information notice when data has not been obtained from the data subject: within a reasonable period, at the latest within one month; or if the personal data are used for communication with the data subject, at the latest at the time of the first communication; or if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.

Article 14(5) sets four exemptions to Article 14: (a) the data subject already has the information; (b) provision proves impossible or would involve disproportionate effort (particularly for archiving / research / statistical purposes subject to Article 89(1) safeguards); (c) obtaining or disclosure is expressly laid down by Union or Member State law; (d) the personal data must remain confidential subject to professional secrecy.

Articles 15–21 — data subject rights

Each right has its own conditions and exemptions; the high-level surface:

Article 15 — right of access. Confirmation of whether personal data are being processed; access to the personal data; and information mirroring Articles 13 and 14.
Article 16 — right to rectification. Inaccurate personal data corrected; incomplete personal data completed.
Article 17 — right to erasure (‘right to be forgotten’). Six grounds for erasure in Article 17(1); five exceptions in Article 17(3)(a)–(e) (freedom of expression and information; compliance with a legal obligation, or for the performance of a task carried out in the public interest or in the exercise of official authority; reasons of public interest in the area of public health under Article 9(2)(h) and (i) and Article 9(3); archiving / research / statistical under Article 89(1); establishment, exercise or defence of legal claims).
Article 18 — right to restriction of processing. Four grounds in Article 18(1).
Article 19 — notification obligation regarding rectification or erasure or restriction. Controller notifies each recipient to whom personal data has been disclosed.
Article 20 — right to data portability. Applies where the processing is based on consent under Article 6(1)(a) or 9(2)(a) or on a contract under Article 6(1)(b), and is carried out by automated means.
Article 21 — right to object. Article 21(1) for processing based on Article 6(1)(e) or (f); Article 21(2)–(3) for direct marketing (an absolute right); Article 21(6) for scientific/historical research or statistical purposes.

For AI use cases, Article 15(1)(h) (the data subject's right to receive information about automated decision-making including profiling, mirroring the Article 13(2)(f) / 14(2)(g) disclosure) and Article 17(1)(c) erasure where the data subject objects under Article 21 are operationally important.

Article 22 — automated individual decision-making, including profiling

Article 22(1) is the central provision:

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

Article 22(2) carves out three exceptions:

Paragraph 1 shall not apply if the decision:
(a) is necessary for entering into, or performance of, a contract between the data subject and a data controller;
(b) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or
(c) is based on the data subject's explicit consent.

Article 22(3) requires safeguards where Article 22(2)(a) or (c) applies:

In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

Article 22(4) restricts automated decisions based on special categories of data:

Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject's rights and freedoms and legitimate interests are in place.

Three operational points:

"Solely" matters. Article 22(1) applies only where the decision is based "solely" on automated processing. Meaningful human review can take the processing out of Article 22 scope — but the human review must be substantive (capable of changing the outcome based on the human reviewer's own analysis), not nominal rubber-stamping. The EDPB Guidelines (adopting WP29 17/EN WP251rev.01) set the substantive-review standard.
"Legal effects" or "similarly significantly affects." Examples of legal effects include automatic refusal of online credit applications, e-recruiting practices without human intervention, and other decisions affecting access to services or contractual terms. "Similarly significantly affects" includes decisions that affect the data subject's circumstances, behaviour, or choices in a sustained or permanent manner — pricing decisions that affect access to a service, automated denial of a benefit, eligibility decisions in insurance or healthcare.
Article 22 GDPR ≠ Article 14 EU AI Act. Article 22 is a data subject right exercisable against a controller. Article 14 EU AI Act is a provider-side design obligation that high-risk AI systems be designed and developed in such a way that they can be effectively overseen by natural persons during the period the AI system is in use. Both may apply concurrently — compliance with one does not satisfy the other.

How to operationalize Articles 5, 6, 9, 12–22 in Modulos

Layer	Modulos surface	Coverage
Article 5 principles	OFF-11 `ORF-225` (and per-purpose evidence on MFF-12 where applicable)	Article 5(1)(a)–(f) + 5(2)
Article 6 lawful basis	OFF-11 `ORF-226`	Article 6(1)(a)–(f) per-purpose decision
Article 7–8 consent	OFF-11 `ORF-227`	Conditions for consent + child's consent
Article 9 special categories	(per-purpose evidence linked to relevant OFF-11 / MFF-12 requirements)	Article 9(1)–(4)
Article 12 transparency baseline	OFF-11 `ORF-231`	Article 12 modalities and timeline
Articles 13–14 information duties	OFF-11 `ORF-232`	Article 13 / 14 transparency notice
Articles 15–22 data subject rights (including Article 22 automated decisions)	MFF-12 `MRF-233`–`MRF-240`	Per-AI-system rights workflow + Article 22 substantive review

A typical setup:

Requirements — each Article 5 / 6 / 9 / 12–22 obligation is recorded as a requirement on the relevant project. Fulfilment tracks through Not fulfilled → Fulfilled (with optional Out of scope).
Controls — implemented work (per-purpose lawful basis assessment, Article 6(1)(f) legitimate interests three-prong test, Article 9(2) exception memo where applicable, Article 13 / 14 transparency notice, data subject rights workflow, Article 22 substantive-review process where applicable) is documented as named controls.
Evidence — lawful basis decision records, balancing tests, special-categories assessments, transparency notice versions, rights-request response packages, automated-decision human-review records, contestation records are recorded once and linked to multiple controls.
Readiness + fulfilment attestation — when controls are in a final state, the requirement becomes ready for review; the requirement owner attests fulfilment.
No dedicated DSAR UI surface — data subject rights requests are tracked as evidence linked to the relevant Article 15–22 requirements. The same applies to Article 22 substantive-review records.

Cross-framework mapping (preview)

GDPR area	EU AI Act (Regulation (EU) 2024/1689)	ISO/IEC 27701
Art 5(1)(a)–(f) principles	Article 10 data governance (data quality, lawful sourcing of training data)	PIMS Annex A / B controls — privacy by design, purpose specification, retention
Art 5(2) accountability	Article 26 (deployer obligations) + Article 17 QMS	PIMS Clause 5 leadership, Clause 7 support, Clause 10 improvement
Art 6 lawful basis	Article 10 (training data lawfulness for high-risk AI)	(PIMS doesn't decide lawful basis)
Art 9 special categories	Article 5(1)(c) social scoring + Article 10 special-category restrictions for high-risk AI	(no direct equivalent)
Arts 12–14 transparency	Article 13 (transparency to deployers) + Article 50 (transparency to natural persons)	PIMS Annex B disclosure controls
Art 22 automated decisions	Article 14 (human oversight design) — distinct duty	(no direct equivalent)
Arts 15–21 rights	(no direct equivalent — AI Act doesn't grant data-subject rights)	PIMS Annex B access / rectification controls

For the pairwise treatment with the EU AI Act see EU AI Act vs GDPR.

GDPR overview

Framework structure, dates, OFF-11 / MFF-12 split

Scope and applicability

Article 2 material scope, Article 3 territorial scope, Article 4 key definitions

Controller obligations and breach notification

Articles 24–32 obligations, 33–34 breach, 35 DPIA, 37 DPO

Operationalizing in Modulos

Practical rollout sequence for OFF-11 and MFF-12

EU AI Act vs GDPR

How the two binding EU Regulations interact for AI systems processing personal data

Source attribution

Regulation (EU) 2016/679 (GDPR) is published in the Official Journal of the European Union L 119, 4.5.2016, pp. 1–88; corrigendum in OJ L 127, 23.5.2018, pp. 2–5. Articles 5(1), 5(2), 6(1), 22(1), 22(2), 22(3), and 22(4) on this page are quoted from the OJ text (verifiable against the EUR-Lex CELEX). The Article 22 interpretation reflects the EDPB-endorsed WP29 Guidelines on Automated individual decision-making and Profiling (WP251rev.01).

Disclaimer

This page is for general informational purposes and does not constitute legal advice.

Comparison

EU AI Act

Commission guidance

ISO Standards

ISO/IEC 42001

ISO/IEC 27001

ISO/IEC 27701

NIST AI RMF

GDPR (EU)

NIS2 (EU)

DORA (EU)

OWASP for AI Security

UAE AI Ethics

MAS FEAT

Microsoft Supplier DPR

Quick decision

TL;DR

Article 5 — principles relating to processing of personal data

Article 6 — lawful basis

Article 9 — special categories of personal data

Articles 12–14 — transparency and information duties

Articles 15–21 — data subject rights

Article 22 — automated individual decision-making, including profiling

How to operationalize Articles 5, 6, 9, 12–22 in Modulos

Cross-framework mapping (preview)

Source attribution

Commission guidance

ISO/IEC 42001

ISO/IEC 27001

ISO/IEC 27701

Principles, rights, and lawful basis — GDPR Articles 5, 6, 9, 12–22 ​

Quick decision ​

TL;DR ​

Article 5 — principles relating to processing of personal data ​

Article 6 — lawful basis ​

Article 9 — special categories of personal data ​

Articles 12–14 — transparency and information duties ​

Articles 15–21 — data subject rights ​

Article 22 — automated individual decision-making, including profiling ​

How to operationalize Articles 5, 6, 9, 12–22 in Modulos ​

Cross-framework mapping (preview) ​

Related pages ​

Source attribution ​

Principles, rights, and lawful basis — GDPR Articles 5, 6, 9, 12–22

Quick decision

TL;DR

Article 5 — principles relating to processing of personal data

Article 6 — lawful basis

Article 9 — special categories of personal data

Articles 12–14 — transparency and information duties

Articles 15–21 — data subject rights

Article 22 — automated individual decision-making, including profiling

How to operationalize Articles 5, 6, 9, 12–22 in Modulos

Cross-framework mapping (preview)

Related pages

Source attribution