There must be a lawful basis for all processing of personal data, unless an exemption or derogation applies. Stricter conditions apply to the processing of sensitive personal data (special categories). To process special categories, you must have at least one of the following bases (for non-sensitive personal data) in conjunction with one from Article 9 – ‘Processing of Special Categories’.
Consent – personal data may be processed on the basis that the data subject has consented to such processing.
Contractual necessity – where processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
Compliance with legal obligations – processing is necessary for compliance with a legal obligation to which the controller is subject. This legal basis is explicitly limited to legal obligations arising in the EU so, organisations that are subject to non-EU court orders may face challenges in this respect.
Vital interests – processing is necessary in order to protect the vital interests of the data subject or of another natural person. (this essentially applies in ‘life‑or-death’ scenarios). Under the GDPR, the processing condition can extend to other individuals (e.g., children of the data subject).
Public interest – processing is necessary for the performance of a task carried out by a public authority or a private organisation acting in the public interest.
Legitimate interests – Personal data may be processed on the basis that the controller has a legitimate interest in processing those data, provided that such legitimate interest is not overridden by the rights or freedoms of the affected data subjects. This legal basis does not apply to processing carried out by public authorities in the performance of their duties.
Data relating to criminal offences and civil law enforcement – may only be processed under the control of an official authority; or when permitted under EU or Member State law.
The content herein is provided for your convenience and does not constitute legal advice.
Compliance Technology Solutions B.V. 2018