GDPR brings six grounds on which you can process your legal data.

One is consent, but it must be accompanied by information, can be withdrawn at any time, and in some cases may be invalid (for example in working relationships). At the same time, you are required to demonstrate at any time that you have obtained a valid consent. Note that although in most cases you can migrate to other legal grounds, consent is mandatory in some situations: marketing, tracking (e.g., cookies).

If you want to choose the right legal basis, it would be a good idea to consult the information below.

Consent

Preamble (32), (42), (43); Article 6 (1) let. (a) Processing is permitted if the data subject has given his consent for processing.

Concluding or executing a contract 

Preamble (44); Article 6, paragraph (1) lit. (B) processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to the conclusion of a contract.

Fulfilling a legal obligation 

Preamble (45); Art.6 (1) lit. (cart. 6 par. (3) processing is necessary to fulfill a legal obligation incumbent upon the operator.

Vital interests 

Preamble (46); Art.6 (1) lit. (D) processing is necessary to protect the vital interests of the data subject or of another individual.

Public interest

Preamble 46; Art.6 (1) lit. (E)processing is necessary for the performance of a task which is in the public interest or which results from the exercise of the public authority with which the operator is invested.

Legitimate interest

Preamble (47), (48); Art.6 (1) lit. (F)processing is necessary for the legitimate interests pursued by the operator or a third party, unless the interests or fundamental rights and freedoms of the data subject that require the protection of personal data are prevalent, in particular where the data subject is a child.

Processing of personal data relating to criminal convictions and offenses

Art.10 The processing of personal data relating to criminal convictions and offenses or related security measures pursuant to Article 6 (1) shall be carried out only under the control of a State authority or where processing is authorized by Union or national law providing for adequate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions is kept only under the control of a state authority.

Processing of special categories of personal data 

Preamble (51) – (56); Article 9 The person concerned has given his explicit consent;

Processing is necessary for the purpose of fulfilling the obligations and exercising specific rights of the operator or person concerned in the field of employment and social security and social protection;

Processing is necessary to protect the vital interests of the data subject or another natural person when the data subject is physically or legally incapable of giving consent;

Processing is carried out in the course of their legitimate activities and with adequate safeguards by a foundation, association or other non-profit-making organization and political, philosophical, religious or trade union organization, provided that the processing relates only to members or former members of that body or persons with whom he has permanent contact with his or her purposes and that personal data are not disclosed to third parties without the consent of the data subjects;

Processing refers to personal data that are made public by the data subject;

Processing is necessary for the establishment, exercise or defense of a right in court or whenever the courts act in the exercise of their judicial function;

Processing is necessary for reasons of overriding public interest under Union or national law which is proportionate to the objective pursued, respects the essence of the right to data protection and provides for appropriate and specific measures to protect the fundamental rights and interests of the data subject;

Processing is necessary for purposes of preventive or occupational medicine, assessment of the employee’s work capacity, medical diagnosis, health or social care or medical treatment, social assistance under Union or national law, or under a contract with a health care and subject to the conditions and guarantees provided for in paragraph 3;

Processing is necessary for reasons of public interest in the field of public health, such as the protection against serious cross-border threats to health or the provision of high quality and safety standards for healthcare and medicines or medical devices under Union or national law which provides for appropriate and specific measures to protect the rights and freedoms of the data subject, in particular professional secrecy;

Processing is necessary for purposes of archiving in the public interest, for scientific or historical research purposes or for statistical purposes in accordance with Article 89 (1), on the basis of Union or national law which is proportionate to the objective pursued, respects the essence of the right to data protection and provides for appropriate and specific measures to protect the fundamental rights and interests of the data subject.

Processing for other purposes

Article 6, paragraph (4) Where processing for any purpose other than that for which the personal data were collected is not based on the consent of the data subject or on Union law or domestic law which constitutes a necessary and proportionate measure in a democratic society in order to protect the objectives referred to in Article 23 (1), the operator, in order to determine whether the processing for another purpose is compatible with the purpose for which the personal data were originally collected, shall take into account, inter alia: (a) any link between the purposes for which the personal data were collected and the purposes of the subsequent processing envisaged; (b) the context in which personal data has been collected, in particular as regards the relationship between data subjects and the operator; (c) the nature of the personal data, in particular in the processing of special categories of personal data in accordance with Article 9, or where personal data relating to criminal convictions and offenses are processed in accordance with Article 10; (d) the likely consequences for the data subject of the envisaged further processing; (e) the existence of adequate safeguards, which may include encryption or pseudonymization.