Organizations sometimes assume that they need to obtain consent from data subjects to process their data. This may seem like an insurmountable administrative burden, but obtaining and managing consent is not mandatory for all activities involving the processing of personal data. In fact, consent is only one of many legitimate purposes for processing personal data. Here is an overview of the six legal bases for processing recognized by the GDPR: This legitimate basis must be established by law, the law being the General Data Protection Regulation itself or other laws of the EU or its member states. If your goals change over time, or if you have a new goal that you didn`t originally expect, you may not need a new legal basis as long as your new goal is compatible with the original goal. In other words, you can enter consent into a form or use legal language to describe your actions. Attempting to outsmart your data subject means that you do not have legal consent and therefore have no legal basis to store the data. And that can put you in hot water: just ask Google. Universities are classified as public authorities, so the basis of public functions is likely to apply to much of their salary, depending on the details of their constitutions and legal powers. If the processing is separate from its duties as a public authority, the University may instead assess whether consent or legitimate interests are appropriate in the circumstances. For example, a university may rely on public tasks to process personal data for teaching and research purposes; but a mix of legitimate interests and consent for alumni relationships and fundraising purposes.
☐ We have included information about the purposes of the processing and the legal basis for the processing in our Privacy Policy. A controller may process personal data if it is legally obliged to carry out such processing. However, this principle is subject to two important clarifications: Member States may introduce additional legal bases for processing carried out in the context of compliance with legal obligations (see Article 6(1)(c)) or for the performance of tasks carried out in the public interest (see Article 6(1)(e)). It is therefore always useful to check whether another legal basis may apply to the processing. There are many examples of these legal bases: employment records, accident reports for health and safety records, etc. You do not need a specific legal authority to process personal data, but you must have a clear legal basis that you must document. The interpretation given to the basis states that you rely on it when you need it to protect a person`s life, but you cannot obtain any other consent for the treatment (they cannot or do not want to provide it). Why do we need a legal basis? This goes back to the GDPR`s commitment to transparency, accountability, and data minimization. For too long, some data processors have ruthlessly collected data – and often collected data warehouses that were not to use, but easy to obtain. Although approval tends to be strongest because it is the most transparent and least intrusive, there is no real hierarchy. Each legal basis is as strong as the other, as long as you meet the requirements of your reasoning and data processing.
Contractual obligation between the organization and the individual. The organisation may rely on this legal basis when it needs to process an individual`s personal data: to provide them with a contractual service; or because they asked the organization to do something before entering into a contract (e.g., make an offer). Personal data may only be processed if there is at least one legal basis. The recognition of the very basis of the commercial activity (i.e. contractual obligations) is presented as the legal basis (recital 44; Article 6(1)(b), which allows transformation in two scenarios. First, if it is necessary to conclude a new contract or work within the framework of an existing contract with the data subject, data processing is permitted. The second scenario is when the data subject initiates activities with the controller, the processing being already authorised before the conclusion of a contract. This is the case in pre-contractual relationships (preparation or negotiation prior to the conclusion of the contract), where the GDPR emphasizes that the initiation of processing steps must be carried out at the request of the data subject and not by the controller. Personal data may be processed on the basis that the data subject has consented to such processing. The rights of data subjects to erasure and data portability do not apply if they process on this basis. However, you have the right to object.
Extract from recital 45 of the GDPR: `It should also be for Union or Member State law to determine whether the controller responsible for the performance of a task carried out in the public interest or in the exercise of official authority should be a public authority or other natural or legal person governed by public law or, where it is in the public interest: including for health purposes such as public health and social welfare and the administration of health services by private law, such as a professional association`. You may invoke legal obligations if you need to process personal data to comply with a legal or common law obligation. (It does not apply to contractual obligations.) The law in question should clearly state whether the processing is necessary for compliance. If it is necessary to process sensitive data as part of a contract, you must also provide a separate legal basis.