GDPR Article 6 and Web Scraping: The Legal Basis Checklist Most Developers Skip

Your web scraper is probably GDPR non-compliant. Not because you're collecting illegal data — but because you haven't documented why you're allowed to collect it. GDPR Article 6 requires a lawful basis for processing personal data. Scraping publicly available data still counts as processing if it includes personal data (names, emails, job titles, profile photos). Here's the checklist I use before deploying any scraper that touches personal data. The 6 Lawful Bases (and Which Apply to Scraping) 1. Consent — Almost Never Applies to Scraping You'd need the data subject to explicitly opt in to you collecting their data. Since you're scraping without their knowledge, this base almost never applies. Exception: If you're scraping your own customers' data from a platform they authorized you to access. 2. Contract — Narrow Application Applies when processing is necessary to fulfill a contract with the data subject directly. Scraping use case: Enriching contact data for someone who signed up to