Legal Bases for Processing Personal Data. A Guide.
As a first step in examining whether and how a controller processes personal data it is important to consider the legal bases of that activity. The DPC has published a reasonably detailed run-through to help with this issue.
‘One of the first questions which organisations involved in processing personal data (‘controllers’) should ask themselves before undertaking the processing is “What is my reason or justification for processing this personal data?” This is of key importance because any processing of personal data is only lawful where it has what is known as a ‘legal basis’. Article 6 of the General Data Protection Regulation (GDPR) sets out what these potential legal bases are, namely: consent; contract; legal obligation; vital interests; public task; or legitimate interests.’
The aim of this guidance is primarily to assist controllers in identifying the correct legal basis for any processing of personal data which they undertake or plan to undertake – and the obligations which go with that legal basis’.