GDPR Article 6 — Lawfulness of processing
Note: this explainer is informational and framework references are never a compliance guarantee — align your program with your legal counsel.
What Article 6 requires
Processing personal data is lawful only if at least one of Article 6's legal bases applies — consent, contract, legal obligation, vital interests, public task, or legitimate interests. No basis, no processing. The basis must exist for the specific processing, not for the company in general.
What it means for your company
Your privacy program established legal bases for your CRM, your HR system, your support desk. It almost certainly did not establish one for "employee pastes customer data into a consumer AI chatbot" — that disclosure is a new processing operation, often to a new controller, that nobody assessed. Shadow AI usage is, in GDPR terms, processing without a decided basis.
How Shield operationalizes it
The cleanest answer to basis-less processing is that it never happens: the Transform PII before it reaches AI tools and Transform financial data presets (referenced to Art. 6) strip personal data out of prompts and pastes on the device, so the un-assessed disclosure to the AI provider doesn't occur — while sanctioned, assessed AI workflows continue untouched. Discovery keeps the tool inventory explicit, so your privacy team assesses real usage instead of guessing.
Both presets are active from day one in every new organization; manage them in the preset library.
The outcome
The processing your legal bases don't cover is prevented at the source, and the processing you did assess proceeds normally — with the audit trail showing exactly which control did what.
Was this article helpful?
Related articles
Apply policy presets and bundles
Deploy compliance-ready policies from the preset library — EU AI Act, GDPR, DIFC, Korea AI Basic Act, US AI in Employment, and ISO 42001/NIST bundles.
Read articleGDPR Article 5 — Principles of processing
Data minimization, purpose limitation, accountability — Article 5's principles apply fully when employees paste personal data into AI tools. How Shield enforces them at the prompt boundary.
Read articleGDPR Article 32 — Security of processing
Appropriate technical and organizational measures, including for the AI channel: how blocking secrets, redacting personal data, and warning on source code map to Article 32.
Read articleEU AI Act Article 26 — Deployer obligations
Article 26 defines your duties when deploying high-risk AI — applicable from December 2027 under the Digital Omnibus. What paragraphs (1), (5), and (6) require and how Shield prepares you now.
Read articleStill stuck?
Send us the details — we answer within one business day.