GDPR: What is a 'Lawful Basis' for Processing Personal Data
Fundamental to GDPR compliance for B2B and B2C organisations is that the Data Controller (the person at your organisation with legal responsibility for the processing of individuals’ Personal Data) must have a Lawful Basis for processing that data. But what is a ‘Lawful Basis’ for processing?
Under GDPR these are defined in Article 6.1 as follows:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
It is important to note that there is no hierarchy to this list and a controller can select a different basis for different data processing activities.
For more on how your organisation can achieve GDPR compliance, click the button below.