Companies have been gathering and processing personal information for decades, regardless of its imminent relevance and without prior specific consent from the subjects such data belonged to. While several data privacy laws have been fighting such practices, none of them has been as effective internationally as the GDPR. And that’s perhaps due to the astounding fines it entails (up to 20 million € or 4% of the company’s global annual turnover).
The GDPR (General Data Protection Regulation) established that personal data should be processed lawfully, fairly, and transparently. Based on this principle, the GDPR sets out 6 lawful bases for data processing.
This article will list them all and provide concrete examples to ensure you have a lawful basis for data processing and correctly follow the other GDPR principles.
The 6 lawful bases for data processing with examples
For the data processing to be lawful under the GDPR, it must be justified by at least one of the following:
|Lawful bases for data processing||Personal data can be processed when…||Examples|
|1. Consent||The person who the data belongs to (data subject) has agreed to the processing of personal data for one or more well-defined purposes.||Anytime you check a box on a website to agree to receive emails, you are giving your consent to data processing.|
|2. Vital interests||Processing is necessary to protect the life of the data subject or another person.||If you go to the hospital for an emergency, the doctors might need to access your medical records to know your blood type, check if you are an organ donor, etc.|
|3. Contract||Processing represents a contractual obligation because it is required for fulfilling a contract to which the person concerned is a party.||Your landlord, gas supplier, or Internet provider, needs to know your contact details to be able to reach you whenever necessary in relation to your contract.|
|4. Public interest||Processing is essential for performing a task carried out in the public interest or the exercise of official authority.||For example, the police are entitled to check your identity documents and personal data when you travel from one country to another.|
|5. Legal obligations||Processing is needed to comply with the law.||For instance, AML-obliged organizations need to process clients’ personal data to comply with their legal obligations when onboarding new customers and prevent fraud.|
|6. Legitimate interest||Legitimate interest is the most flexible of the six lawful bases for data processing as it could theoretically apply to any event where data is processed for a reasonable purpose and has a minimal impact on the individual’s privacy – as long as there is no violation of their rights and freedoms.||An example could be the background checks and security vetting in recruitment and HR function, as the employer is legitimately interested in knowing more about the person being hired.|
What are the other principles data processing should be based on?
Besides being lawful – i.e., justified by one of the six lawful bases listed above – data processing should be performed under the following GDPR principles:
- Accountability: The data controller is responsible for processing data in a lawful way.
- Accuracy: The personal data should be kept up to date and corrected if there is any mistake.
- Storage limitation: Personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for processing purposes.
- Data minimization: Personal data must be collected for specified, explicit, and legitimate purposes and only processed according to those purposes. Moreover, the personal data should be adequate, relevant, and limited to what is necessary for the purposes for which they are processed.
- Integrity and confidentiality: Personal data must be processed in a manner that appropriately ensures their security, including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage.
- Transparency: Any information addressed to the public or the data subject must be communicated
- in a concise, transparent, intelligible, and easily accessible form;
- using clear, plain, and unambiguous language and, where appropriate, visualization and standardized icons;
- provided in writing, or by other means, including, where appropriate, electronic means such as a website.
- Transparency is a central principle in the GDPR whose scope begins at the data collection stage and applies “throughout the life cycle of processing”. Ensuring the effective access and comprehension of the information provided to data subjects is as important as the content of the information itself. In other words, it’s not just what you say but how you say it that matters.
How can I be sure I’m following the GDPR data processing principles?
Here are a few recommendations to ensure your data processing activities are compliant with GDPR rules:
Are you lawfully processing personal data?
Whenever personal data processing is performed, what ultimately makes the difference is the level of protection guaranteed to people’s privacy.
With Penneo, you can consistently reinforce your data security and privacy management while equipping your business with auditable and user-friendly means to meet industry standards and legislative obligations.