When is the processing of personal data permitted?
Legal bases for processing personal data
The processing of personal data always requires a legal basis, which must be determined before the start of processing. Once the processing of personal data has been tied to a basis for processing, the basis may not be changed. The processing basis significantly affects the rights of the data subjects with regard to the controller.
The General Data Protection Regulation (GDPR) contains six bases that permit the processing of personal data:
Special categories of personal data, such as data concerning ethnic origin or health, is principally prohibited. However, such processing can be permitted if an exception to the ban on processing is provided for in the GDPR or national legislation.
The data subject can give his or her consent to processing the data subject's personal data. Such consent must be a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her. The data subject can give a written or oral statement of his or her consent or express it by some other clear, affirmative act, such as ticking a box on a website. It must be as easy to withdraw consent as to give it.
The controller must be able to demonstrate that the data subject has given lawful consent to the processing operation.
When the data subject is party to a contract, his or her personal data may be processed for the performance of the contract. If, for example, the data subject orders products online, the company is permitted to process his or her address data in order to deliver the products.
It is important to define the precise contents and basic purpose of the contract, because they are used to evaluate whether or not processing is necessary. Processing shall be limited to necessary personal data.
This basis for processing also covers processing operations performed prior to entering a contract at the request of the data subject. For example, a lender can process the data required for evaluating creditworthiness prior to entering into a credit agreement.
The controller may be required to process personal data in order to comply with a legal obligation. Legal obligations can apply equally to controllers in the private and public sectors and can include, for example, the obligation of an employer to report the salary information of its employees to the tax authorities, or the obligation of financial institutions to report suspicious transactions to the authorities.
Legal obligations can only be based on Union or Member State law. Obligations based on the legislation of third countries do not fall within the scope of this basis, unless they have been included in the legal order of the European Union or Member State, such as by an international treaty.
The processing of personal data is permitted when it is necessary in order to protect the vital interests of the data subject or of another natural person. For example, the protection of vital interests is a suitable basis for processing in situations of life and death or in the case of threats that could injure the data subject or another person or be otherwise detrimental to health.
The processing of personal data can serve a vital interest during humanitarian catastrophes, such as natural disasters or epidemics, where it can be necessary in order to track the spreading of the epidemic.
The processing of personal data is permitted when required by the public interest or the exercise of public authority vested in the controller. This basis for processing can be used in both the private and public sectors in situations that involve public interest or the exercise of public authority in the European Union or a Member State.
The task carried out in the public interest or public authority must be based on the law or other legal provisions. For example, processing in the public interest can include the processing of personal data for scientific or historical research or the compilation of statistics.
The processing of personal data is permitted when it is necessary for the legitimate interests pursued by the controller or a third party. The legitimacy of an interest can be determined with the so-called balance test. In the test, the interests of the controller or third party are weighed against the interests and fundamental rights of the data subject.
A legitimate interest can exist, for example, when there is a relevant relationship between the data subject and controller. In practice, this means that the data subject is the customer or subordinate of the controller.