1. Processing shall be lawful only if and to the extent that at least one of the following applies:
the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
processing is necessary for compliance with a legal obligation to which the controller is subject;
processing is necessary in order to protect the vital interests of the data subject or of another natural person;
processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.
2. Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation with regard to processing for compliance with points (c) and (e) of paragraph 1 by determining more precisely specific requirements for the processing and other measures to ensure lawful and fair processing including for other specific processing situations as provided for in Chapter IX.
3. The basis for the processing referred to in point (c) and (e) of paragraph 1 shall be laid down by:
Union law; or
Member State law to which the controller is subject.
The purpose of the processing shall be determined in that legal basis or, as regards the processing referred to in point (e) of paragraph 1, shall be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. That legal basis may contain specific provisions to adapt the application of rules of this Regulation, inter alia: the general conditions governing the lawfulness of processing by the controller; the types of data which are subject to the processing; the data subjects concerned; the entities to, and the purposes for which, the personal data may be disclosed; the purpose limitation; storage periods; and processing operations and processing procedures, including measures to ensure lawful and fair processing such as those for other specific processing situations as provided for in Chapter IX. The Union or the Member State law shall meet an objective of public interest and be proportionate to the legitimate aim pursued.
4. Where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject’s consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1), the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia:
any link between the purposes for which the personal data have been collected and the purposes of the intended further processing;
the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller;
the nature of the personal data, in particular whether special categories of personal data are processed, pursuant to Article 9, or whether personal data related to criminal convictions and offences are processed, pursuant to Article 10;
the possible consequences of the intended further processing for data subjects;
the existence of appropriate safeguards, which may include encryption or pseudonymisation.
Personal data can always be processed if the data subject has given their consent.
However, for consent to be valid, it must be voluntary, specific, informed and unambiguous. Therefore, consent cannot be given implicitly, and no adverse consequences must be attached to not giving consent.
It should always be possible to withdraw consent. Consent is, therefore, only sometimes the most appropriate legal basis. Furthermore, if you have initiated processing based on consent, you are usually bound by the purpose for which the data subject was informed when you obtained the consent.
The term “consent” is also widely used, and the meaning and requirements for validity may vary. For example, non-data protection consent is used in healthcare, where the data subject has been allowed to opt out of the processing by law or other means.
However, if you base your processing of personal data on consent, you must meet the requirements for consent under the GDPR.
Article 6(1)(b) of the GDPR provides that processing is lawful if it is necessary for the performance of a contract to which the data subject is party or for the implementation of measures taken at the data subject’s request before entering into a contract.
Concerning Article 6(1)(b) of the Regulation, preamble recital no. 44, processing should be considered lawful when necessary in the context of a contract or its intended conclusion.
The lawful processing of personal data is often performed because of a contractual necessity.
When you sell a service or product to a client, you will need to treat their contact details to process their request. In this case, your lawful basis for processing their personal data concerning the GDPR would be article 6(1)(b).
Employment will be a contractual relationship; therefore, Article 6(1)(b) could also be relevant in this context.
In particular, concerning employment law, Article 88(1) of the GDPR provides that Member States may lay down by law or by collective agreement more specific provisions to ensure the protection of the rights and freedoms concerning the processing of workers’ data in the context of employment.
Article 6(1)(c) of the Regulation provides that processing is lawful if it is necessary for compliance with a legal obligation to which the controller is subject.
As regards Article 6(1)(c) of the GDPR, preamble recital 45 states that if the processing is carried out in compliance with a legal obligation to which the controller is subject or if the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, the processing should have a legal basis in Union or Member State law.
The GDPR does not imply that a specific law is required for each processing operation.
A law may be sufficient as a basis for several data processing activities established on a legal obligation incumbent on the controller, e.g. accounting rules. Or, it could be that the processing is necessary to perform a task in the public interest or the exercise of official authority.
Article 6(1)(c) is directly applicable as a basis for processing as long as the legal obligation follows, for example, from national law.
Every business or organisation is required to do bookkeeping and submit their yearly accounting. Therefore they will need to process personal data, and article 6(1)(c) would be the lawful means for processing this personal data.
Definition of vital interests: A vital interest is when the interest is of substantial and vital importance to the data subject.
Article 6(1)(d) of the Regulation provides that processing is lawful if it is necessary to protect the vital interests of the data subject or another person.
Concerning Article 6(1)(d) of the Regulation, preamble recital no. 46 states that the processing of personal data necessary to protect an interest fundamental to the data subject’s life or another person should be considered lawful.
Processing of personal data based on another natural person’s
vital interests should, in principle, only take place if the processing clearly cannot be based on any other legal grounds.
Some types of processing may serve both critical societal interests and the vital interests of the data subject, for example, processing necessary for humanitarian reasons,
A hospital would be allowed to contact the patient’s partner to get in touch with the patient if it was of vital interest to the patient’s health. A vital interest could be if the patient is waiting for a new organ.
Article 6(1)(e) of the GDPR provides that processing is lawful where it is necessary for performing a task in the public interest or where the exercise of official authority is vested in the controller.
Article 6(1)(e) would rarely make the grounds for processing personal data for a typical business but would rather be the means for lawful processing for public authorities.
Article 6(1)(e) is directly applicable as a basis for processing as long as the controller carries out a task in the public interest or falls within the exercise of official authority vested in the controller entrusted.
Article 6(1)(e) does not necessarily require that the task requiring processing personal data is explicitly conferred on the authority by law.
For example, it is natural that the Ministry of Education could process personal data, even if there is no explicit legal mandate entrusting the Ministry with the task. This could be so, as the Ministry would be the central authority on a task relating to digital enrollment and application for admission to the programmes.
You can process personal data if it is necessary for you as the controller, or a third party, to pursue a legitimate interest. You can only do this as long as you don’t override the interests or rights of the data subject, which would require the protection of their personal data, mainly where the data subject is a child.
A legitimate interest may exist where there is a relevant and appropriate relationship between the data subject and the controller, for example, if the data subject is a customer or employee of the controller.
The existence of a legitimate interest requires a careful assessment, where you must take into consideration the time and context of the collection of personal data.
A data subject should reasonably expect that processing for that purpose could take place. In particular, the interests and fundamental rights of the data subject may override the controller’s interests if personal data are processed in circumstances where the data subject does not reasonably expect further processing.
Processing personal data that is strictly necessary to prevent fraud also constitutes a legitimate interest of the controller concerned.
Processing personal data for direct marketing purposes could also be considered a legitimate interest.
Controllers who are part of a group or in institutions affiliated to a central body, may have a legitimate interest in disclosing personal data within the group for internal administrative purposes, including the processing of personal data of customers or employees, according to preamble recital no. 48.
Finally, recital no. 49 of the preamble states that processing personal data to the extent strictly necessary and proportionate to ensure network and information security constitutes a legitimate interest of the data controller.
Learn the basics of GDPR in the course 1-Hour GDPR Introduction: The Basic Facts for Employees.