(e) Public task: The processing is necessary for the performance of a task carried out in the public interest or for your official duties, and the task or function has a clear legal basis. ☐ Insofar as we process special category data, we have also identified and documented a condition for the processing of special category data. The legal basis for processing is so important because the legal basis must be verifiable at all times. An organisation must be able to show internally, data subjects and supervisory authorities what legal basis it uses for each person whose data it processes. When a data subject gives consent to an organization, the organization must be able to demonstrate when and how that data subject gave consent. Again, this is much the same as in the privacy policy and in non-legal language simply means that the public interest remains a reason for dealing with the public interest, which includes, among other things, the performance of several possible public tasks (e.g. VAT and tax obligations), tasks that you have as a public authority and that require the processing of personal data in accordance with legal obligations, and other data processing operations considered to be of public interest such as scientific research, public health and more. The need for a legal basis for the processing of personal data under the GDPR (with the necessary exceptions) is not new. In its recitals and articles, the GDPR says much the same thing as its predecessor, the Data Protection Directive (Directive 95/46/EC), on several fronts. But there are also impactful changes. If the controller has a legal obligation for which certain personal data must be processed, the processing is permitted. This compliance with a legal obligation for which processing is necessary and to which the controller is subject is also not new.

(f) Legitimate interests: The processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a valid reason to protect the individual`s personal data that overrides those legitimate interests. (This cannot apply if you are an authority that processes data to perform your official duties.) Also note that data subjects have the right to object to processing on this ground in accordance with Article 21. In that case, such processing must cease, unless the controller can demonstrate compelling legitimate grounds for the processing which override the rights of the data subject. If data subjects object to processing for direct marketing purposes (including profiling for this purpose), they may not object to stopping the processing. For more information, see the section on special category data. Extract from recital 45 of the GDPR: `It should also be for Union or Member State law to determine whether the controller responsible for the performance of a task carried out in the public interest or in the exercise of official authority should be a public authority or other natural or legal person governed by public law or, where it is in the public interest: including for health purposes such as public health and social welfare and the administration of health services by private law, such as a professional association`. This includes authorities (e.g. government or emergency services) and organisations to which official tasks are delegated. This processing must be permitted by EU or national law, so it is generally not possible for organisations to argue that they are covered because their activities are “in the public interest”. Please note that data subjects have the right to object to processing on this ground in accordance with Article 21. Unlike the GDPR, the D-DPA (like the current DPA) does not require a controller or processor to rely on or provide a legal basis to process personal data. In other words, the processing of personal data is in principle permitted.

This also applies to the processing of sensitive data, as long as the data is not passed on to third parties (see below). However, the processing of personal data must not unlawfully infringe the privacy of data subjects. A data breach exists in particular in the following cases: For any processing of personal data, it is important to consider the best legal basis, as recommended in the Article 29 (European Data Protection Board) Guidelines on Consent of the end of November 2017. The examination of the best legal basis for the lawfulness of each processing activity begins before the actual processing. And in the context of GDPR compliance, of course, this means that you already have a mandatory list and record of your personal data processing activities. Private sector companies, associations and organisations will rely mainly on the following legal bases: Fundamental interest: The controller must process personal data to protect a data subject who is unable to give consent, for example: if unconscious. If you process special category data, you must provide both a legal basis for the processing and a special category for processing in accordance with Article 9. You must document both your legal basis for processing and your special category so that you can demonstrate compliance and accountability. The legal basis for processing is also important as it has a significant impact on how an organisation responds to data subjects` requests for rights.

Certain rights may be granted if consent is the legal basis for the processing or if the performance of a contract is the legal basis for the processing. There are also other implications for the legal basis for the processing. For example, the processing of special types of data, including: race, ethnicity, health data, biometric data and other sensitive information, requires certain bases of processing. Of course, you can`t always choose another one and you need to be sure of that. This starts with knowing and understanding the six legal bases for processing personal data. So, a quick look at each of them as a reminder. Recital 40 of the GDPR states that personal data must be processed on the basis of the data subject`s consent or another legitimate basis for the processing to be lawful. The main recitals and articles on lawful processing and the grounds for lawfulness of processing as such are, first of all, among those where little has changed. Even if processing for a new purpose is lawful, you must also verify that it is fair and transparent and provide individuals with information about the new purpose. The processing activity is necessary for a legal obligation, such as information security, labor law or consumer transaction law. However, this does not apply to processing based on consent.

Consent must always be specific and informed, and re-use of data for a new purpose would unfairly undermine the original consent. Typically, you will need a new consent that specifically covers the new purpose. If you get specific consent for the new purpose, you don`t have to prove it`s compatible. You must determine your legal basis before you start processing personal data. It`s important to get it right the first time. If, at a later stage, you discover that the basis you chose was indeed inappropriate, it will be difficult to simply switch to another. Even if a different basis could have applied from the outset, a retroactive change of legal basis would likely be inherently unfair to individuals and would lead to breaches of accountability and transparency requirements. Private companies can sometimes operate in the public sector, for example when schools or health services are private. In addition, the legal basis for the processing is a task in the public interest. Some personal data is considered so sensitive that its processing is generally prohibited.

When it comes to such data, it is not enough to have one of the above reasons, but there are also special rules. Consent means that the data subject has given consent to the processing of personal data for one or more specific purposes.