Legal Bases for the Processing of Personal Data

Legal Bases for the Processing of Personal Data

Under the GDPR (General Data Protection Regulation), the European Union’s regulation on the protection and free flow of personal data (also known as the General Data Protection Regulation), a company can only collect and use the personal data of natural persons if:

  • The processing is necessary for the performance of an existing contract or for taking steps toward the signing of a future contract.
  • The organization is fulfilling a legal obligation, and the data processing is based on a requirement set out by EU law or the internal legal system of a member state (for example, when an employer provides salary information for social security purposes).
  • The processing is necessary to protect the vital interests of the data subject or another person, such as safeguarding life (e.g., humanitarian reasons, controlling or preventing an epidemic, or during natural disasters).
  • The processing is necessary for the performance of a task carried out in the public interest. This typically involves public institutions such as schools, hospitals, municipalities, and other administrative bodies.
  • The processing is necessary for the legitimate interests of the data controller, provided these are not overridden by the data subject’s rights and interests (e.g., a bank using personal data to determine if an individual qualifies for a loan).

In all other cases, the organization must obtain the data subject’s prior consent for processing personal data. This consent must be given freely, specifically, informed, and unambiguously. These conditions are met when the individual has full freedom to refuse or withdraw consent, the processing serves a specific, defined purpose, the information about data processing is provided clearly and understandably, and the consent is given in a form that clearly reflects the data subject’s intent (e.g., signing a consent form or selecting “yes” in response to a question on a website).

After consent is given, the organization must inform the data subject of its details, the purpose of the data usage, the duration of storage, and the details of any entities to whom the data will be transferred, along with the data subject’s rights under GDPR.

For minors under the age of 16, the processing of personal data based on consent is only lawful if approved by a parent or guardian. Once an individual turns 16, no parental consent is required for the processing of their personal data.