inaki-del-olmo-602632-unsplash

The lawful basis for Data Processing under the GDPR

A lawful (or legal) basis for processing data must be satisfied before a business can process any personal data. Article 6 of the GDPR describes six scenarios when you are allowed to process data legally. 

1. Data subject has given consent

The GDPR states that the individual’s consent must be:

  • freely and clearly given,
  • specific,
  • informed, and
  • unambiguous. 

It is important to know that consent must be distinguished from all other text, for the individual to understand what data is collected from them and how it is used.

Individuals must be given an option to refuse or withdraw their consent at any time and without penalty. The companies must obey the withdraw and stop processing the individuals’ data. 

The process of consent withdrawal needs to be done the same way as giving consent. It is the obligation of the company to demonstrate that the individual has given their consent to process their data.

If data is used for multiple purposes, then consent is required for every process separately.

2. There is an existing contract

The processing is necessary for the performance of a contract, or for taking steps at the request of the individual before entering into a contract. 

For example, when an individual wants to open a bank account, he or she is requested to fill out a form with his or her personal details. This counts as a pre-contractual processing. 

But, once the account is opened the bank would like to send you campaign offers as part of marketing activities, it needs to use your email address to be able to do so. In this situation, the bank must obtain your consent first to have a lawful basis. 

3. Processing is necessary for compliance with a lawful obligation

The controller is obliged to processing if it is required by the EU or EU Member State law. 

National laws may require companies to process personal data, for example, Estonian accounting law requires companies to preserve documents for 7 years, therefore the companies are bound by national laws to process data.

For public officials, legal obligation means that there is an official mission set for them by the law. For example, the tax department, police, and financial institutions are processing individuals’ personal data as it is their job. 

4. Processing is necessary in order to protect the vital interests

This processing is necessary to protect the individuals’ life or physical integrity when in danger (emergency medical care) and when the data subjects are not able to give consent. This should be used only as a last resort. 

For example, it is important that the ambulance staff can access the individuals’ medical data in case of an accident. Processing under vital interest is used mostly in extreme conditions and circumstances.

5. Processing is necessary for the performance of a task carried out in the public interest

The processing is necessary to perform a task in the public interest or of official functions, and the task or function has a clear basis in law.

Processing individuals’ data for the benefit of the public can be seen as public interest, for example, an outbreak occurred and the data processing can help with statistics and information flow. Processing data of a public figure is public interest when the interest of the public is high.

6. Processing is necessary for the purpose of the legitimate interests

The processing is necessary for companies interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

Legitimate interest may only be applied in situations, where there is a relevant and appropriate relationship between the individual and data processor.

Those situations can be for example a client and service provider relationship, where the client can reasonably expect that their data will be processed. When a company belongs to a group, transmitting the data between the group for internal administrative purposes is a legitimate interest.

Legitimate interest does not apply to public authorities processing personal data to perform their tasks.

Recording the lawful basis for each processing activity

According to the GDPR Article 30, the lawful basis should be recorded in the Record of Processing Activities.

The most simple way to manage and record all the processing activities is with a tool like GDPR Register. 

More to read on this topicRecords of processing activities in GDPR Article 30

 

Easy to use GDPR compliance tool

With GDPR Register you can keep a record of processing activities, create & manage documents, report to the Data Protection Agency.
Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email

Subscribe to our Newsletter

Your e-mail address is only used to send you our newsletter and information about the activities of GDPR Register. You can always use the unsubscribe link included in the mail.

Latest Posts
Data Processing Agreement (DPA)

Data Processing Agreement (DPA)

It’s practically not possible to run a business without processing personal data and exchanging it with other businesses. It may...
Templates for Records of Processing Activities

Templates for Records of Processing Activities

As we see every day, most companies and organisations still keep their Records of Processing Activities in spreadsheets. Through our...
Web plug-in requires visitor’s consent

Web plug-in requires visitor’s consent

In the light of the recent ruling of the European Court of Justice, website owners have to bear in mind...
First GDPR fine issued in Lithuania

First GDPR fine issued in Lithuania

A year after GDPR came into force, the Lithuanian Data Protection Authority (VDAI) has issued its first administrative fine. UAB ‘Mister Tango’,...
Finnish DPA ordered a company to change their data processing practises

Finnish DPA ordered a company to change their data processing practises

An article was published recently in the Helsingin Salomat about the Finnish Data Protection Authority who had ordered a payment and...
Data Protection Officer’s role and responsibilities

Data Protection Officer’s role and responsibilities

In light of the latest survey conducted by the CPO Magazine, we are looking into the role of the Data...
GDPR Compliance Checklist for 2019

GDPR Compliance Checklist for 2019

Just recently, a report was published based on a survey of 252 global privacy professionals working for a wide range...
Records of processing activities in GDPR Article 30

Records of processing activities in GDPR Article 30

What do companies have to include in the records of processing activities? GDPR requires companies to keep an internal record,...
GDPR in B2B Marketing

GDPR in B2B Marketing

There are two separate EU level regulations to follow when processing personal data for direct marketing in B2B and B2C...
Data Protection Impact Assessment Guide

Data Protection Impact Assessment Guide

The General Data Protection Regulation (GDPR) has introduced a new obligation, which requires companies and organizations to carry out data...

Zpracovává vaše společnost osobní údaje?


Zpracovávat vaše společnost osobní údaje fyzických osob, jako jsou:

  • Údaje zaměstnanců, zákazníků, uchazečů o zaměstnání nebo pacientů včetně:
    • Jméno nebo osobní identifikační číslo
    • Kontaktní údaje (e-mailová adresa, telefonní číslo, adresa)
    • Bankovní údaje, plat, údaje o pasu nebo jiné osobní údaje

 

Ar Jūsų įmonė renka ir tvarko fizinių asmenų asmens duomenis? 


Asmens duomenys gali būti:

  • Kliento, darbuotojo. paciento, kandidato į darbo vietą ir kt. 
    • Vardas ar asmens  numeris 
    • Kontaktinė informacija (el.pašto adresas, telefono numeris, adresas ir kt)
    • Banko sąskaitos  duomenys, atlyginimo dydis, paso duomenys ar bet kokia kita asmeninė informacija. 

Onko yrityksessäsi enemmän, kuin 250 työntekijää?


Kas teie ettevõte kogub ja töötleb isikuandmeid?


Kas teie ettevõte kogub ja töötleb füüsiliste isikutega seotud andmeid nagu näiteks:

Töötajate, klientide, tööle kandideerijate, patsientide:

  • Nimi, isikukood
  • E-posti aadress, telefoninumber, kodune aadress
  • Pangakontonumber, palgasumma, krediitkaardiandmed või mõnda muut tüüpi isiklikud andmed

Does your company collect any personal data?


Does your company collect and process any personal data of natural persons such as:

  • Employees, Customers, Job Applicants or Patients including:
    • Name or personal ID number
    • Contact details (Email address, Phone number, Address)
    • Bank details, Salary amounts, Passport details or any other personal data