Lawfulness of processing
The legal bases for processing
It is often thought that the only condition to lawfully process data is the data subject’s consent: this commonplace is substantially wrong and not only under the GDPR but also before its entry into force.
There are several legal bases for data processing. Therefore, the priority is to decide which legal basis (or more than one legal basis) can be applied so that data processing is lawful and meets the requirements of the GDPR.
The GDPR provides for the following legal bases:
a. the data subject has given consent which must be specific for one or more purposes
b. performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (e.g.: to provide a service)
c. compliance with a legal obligation to which the controller is subject (e.g.: accounting obligations)
d. protection of the vital interests of the data subject or of another natural person (e.g.: to provide medical treatments)
e. legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data (e.g.: protection of a legal right, marketing activities towards customers, without profiling).
These legal bases are applicable to personal data which are not included in the notion of special categories of data (e.g.: data concerning health, political opinions) or which are not data relating to criminal convictions and offences.
It is important to determine the legal basis for processing when the envisaged processing is being planned (requirements of data protection by design and preventative risk assessment) in order to assess its feasibility and lawfulness.