There are 6 possible legal bases for data processing.
Consent must meet four criteria for processing to be lawful: it must be
- informed and
It must be as easy to give as it is to withdraw. You must document proof that consent has been validly obtained. To do this, you can add the description of the consent gathering process as an attachment to the processing operation (step 11).
Contract or pre-contractual measures
The legal basis of the contract must meet three criteria to be valid:
- There must be a contractual or pre-contractual relationship between the data controller and the data subject;
- the contract must be valid under the applicable law and
- the processing must be objectively necessary for the performance of the contract.
The right to object may not be exercised in relation to processing on this legal basis, and the right to data portability may be exercised in relation to this processing. You can add the contract on which you are basing the processing in the attachments in step 11.
The legal obligation must
- be mandatory
- sufficiently clear and precise to provide a valid basis for processing.
The texts creating this obligation must at least define the purpose of the processing.
The obligation must be imposed on the data controller and not on the data subjects. You will need to give details of the text imposing the processing (for example, an article of law).
Safeguarding vital interests
The safeguarding of vital interests is limited to situations which threaten the life of the data subject or of another natural person. The most obvious application is the situation where a person is the victim of an accident and, being seriously injured, is admitted to hospital while unconscious and unable to give consent to the processing of his or her data for processing. This basis must be interpreted strictly and used only if consent cannot be sought.
Mission in the public interest
The performance of a task carried out in the public interest or in the exercise of official authority. The use of this legal basis is justified in particular for processing carried out by public authorities in order to perform their duties.
Two conditions must be met:
- The processing operation must enable the relevant and appropriate performance of the task entrusted to the public authority and must not have any other purpose that is unrelated or too far removed from the specific nature of the public interest task in question.
- The public interest must be defined in law and cannot be presumed.
You will need to give details of the public interest mission that requires the processing.
The legitimate interests of the controller or a third party.
This legal basis cannot be invoked by public bodies as part of their mission and must meet 3 conditions:
- the interest pursued must be legitimate, i.e. lawful (legal), clear and precise and real (not fictitious);
- the processing must be necessary to achieve the objective, i.e. it must be the least intrusive means possible;
- and lastly, the processing must not exceed the rights and freedoms of the data subjects, taking into account their reasonable expectations.
A proportionality test, for example, must be applied.
You can keep the results of this test as a document in step 11. You should also detail the legitimate interests invoked (for example, the security of the computer network or the fight against fraud).