The GDPR stipulates that every processing of personal information of citizens or residents of the EU has to be done under one of the six lawful bases.
6 Lawful basis for processing
1. Consent: the individual (data subject) gave consent for the processing of his/her personal data for one or more specific purposes. Consent has to be explicit, with a clear statement of consent. It has to be clear, specific, and granular and kept separate from other statements. You also have to keep records of consents (who gave it, for what specific purpose, how long can you keep it…)
2. Contract: Contract will be a valid lawful basis when processing is necessary for the performance of the contract of which the data subject is the party, or in order to take action at the request of the person before the contract is concluded. The important thing to note is that the collected data can only be processed to fulfill the purpose of the contract and can only be used for that specific purpose.
3. Legal obligation: the processing of personal data is necessary for a company to comply with the law. This is only applicable to EU and Member state law.
4. Protection of vital interests: The processing is necessary to protect someone’s life or freedoms. This lawful basis is supposed to be used only in a specific situation where no other lawful basis is applicable and used as a last resort, like matters of national security.
5. Public task: the processing is necessary for performing a task in the public interest. This is applicable for public authorities in order for them to execute their services, and are authorized to do so by the EU or national law.
6. Legitimate interests: the processing is necessary for the purpose of data controllers’ legitimate interests or the legitimate interests of a third party. The exception is when those interests are overridden by fundamental rights and freedoms of the data subject that require the protection of personal data, especially if an individual is a child or a minor.