There are 6 bases for processing personal data
6 legal grounds for processing personal data can be the basis;
- You get explicit permission from the person whose data you are going to process;
- It is a necessary connection to process the personal data for which data minimization is also applied;
- In a contractual agreement, e.g., when entering into an employment contract;
- Meeting a legal obligation;
- In protecting vital interests;
- In a task of public interest or in the exercise of public authority;
- The legitimate interest.
When should a basis be mentioned?
- The basis for processing personal data should always be stated at the beginning of the processing;
- Articles 13 & 14 require you to inform the data subject about the data you collect from him or her;
- Guarantee transparency, even if the data you collect does not come directly from the data subject.
- The processing of personal data must be lawful be,
- When processing special personal data such as medical, financial or biometric data, only in the following cases;
- You have the explicit consent,
- The processing is necessary,
- To protect the vital interests of the data subject,
- When the processing is carried out by an association in the course of its legitimate activities,
- Personal data made known by the data subject himself,
- For judicial processing,
- The processing is necessary for reasons of substantial public interest,
- In prevention of occupational medicine,
- In the public health interest such as a pandemic,
- For archiving in the public interest, scientific or historical research,
- Where the processing is carried out under the responsibility of a professional who is bound by Union or Member State law or bound by professional secrecy.
- In principle, the processing of criminal convictions and offenses or related security measures may not be processed except under the control of public authorities or if the processing is authorized by Union or Member State law that provides
for human rights and freedoms. This also means that records of criminal convictions may only be kept under government supervision.
Consent to the processing of personal data
It is not the case that if you get a person’s consent to process his or her personal data, that you can just process all data concerning that person. It is only the data you need to fulfill your purpose for processing that you are allowed to process. Consent must always be free, specific and unambiguous.
Processing of personal data by agreement
To execute an agreement or to fulfill a contract, personal data are processed. Again, only personal data relevant to achieving the purpose of the processing should be processed. It is also possible that personal data are going to be processed before a contract has been entered into, in which case we speak of a pre-contractual relationship.
Processing personal data in the event of a legal obligation.
When there is no freedom of choice and consequently the law places you, as a controller, under an
imposes, then we speak of a legal obligation. By law, an employer must file a dimona declaration for which social security data must be declared.
Processing of personal data necessary for vital interests.
In order to protect the vital interests of data subjects, the processing of personal data may be necessary. The use is somewhat limited because it must be demonstrated that the processing is necessary as well as to ensure the protection of the data subject. This basis is usually invoked when a life-threatening situation arises.
Processing of personal data in the public interest or public authority.
If the processing is necessary for the performance of a task of public interest or a task for the exercise of public authority such as a municipality is authorized to organize parking policy, the necessary personal data may be processed. This can be by a new law, a royal decree or by applicable European regulations. Here, the data subject can invoke the right to object but not the right to data erasure.
Processing personal data for legitimate interest.
If the processing is necessary to satisfy the legitimate interests of the controller or a third party and the fundamental rights and freedoms of data subjects for the protection of personal data outweigh those interests if the data subject is a minor.