2.1 Legal bases for processing personal data

Personal data can be processed lawfully on the following bases:

a. Consent of the data subject

A person can give their consent to the processing of their personal data for a specific purpose. Consent can be given in writing, verbally, or by another clear and affirmative act, such as ticking a box on a website. Withdrawing consent must be as easy as giving it. Read more about consent in the next section.

Example

The instructor of a painting club gives the participants a paper form asking for their consent to taking photographs at the next meeting and for using the photographs to publicise the club’s activities on its website.

b. Agreement

When the data subject is a party to an agreement, their personal data may be processed for the performance of the agreement. For example, if someone orders a supporter shirt from a sports club, the club is allowed to process their address information to deliver the order. It is important to define the precise contents and purpose of the agreement because the assessment of the necessity of processing will be based on them. Only necessary personal data may be processed.

c. Compliance with the controller’s legal obligation

Compliance with the controller’s legal obligations may require the controller to process personal data. Controllers operating in both the private and public sectors can be subject to legal obligations, which can only be based on EU law or national legislation.

Example

A hobby organiser reports the pay of its employee to the Tax Administration. Because tax legislation obliges the hobby organiser to declare its employees’ pay to the Tax Administration, the basis for processing is compliance with the controller’s legal obligation.

d. Safeguarding the vital interests of the data subject or another person

The processing of personal data is allowed when it is necessary to safeguard the vital interests of the data subject or another person. This processing basis is suitable in situations concerning life and death or threats that could result in injury to a person or otherwise be detrimental to health. The processing of personal data can serve a vital interest in a humanitarian crisis, such as during a natural disaster or epidemic. In such circumstances, processing could be required to track the spread of the epidemic, for example.

e. Performance of a task carried out in the public interest or the exercise of official authority vested in the controller

Personal data may be processed when required by the public interest or the exercise of the official authority vested in the controller. This can serve as a processing basis in both the private and public sectors when the public interest of the EU or the State is at stake or official authority is being exercised. The task in the public interest or official authority must have been vested in the controller by law or other legal provisions. For example, processing personal data for scientific or historical research or for the compilation of statistics can constitute processing in the public interest.

f. Legitimate interest

The processing of personal data is allowed when it is carried out for the legitimate interest of the controller or a third party. A ‘balance test’ can be conducted to determine whether an interest is legitimate. In the test, the interest of the controller or third party is balanced against the data subject’s interests and fundamental rights. For example, the controller may have a legitimate interest for processing when the data subject is the controller’s customer or subordinate.

On what basis can a hobby organiser process personal data?

In hobby activities, the processing of personal data can be based on the data subject’s consent, legal obligations or the controller’s legitimate interest

Remember

Make sure that you have at least one of the six bases for processing personal data. Remember that you can have different bases for the processing of personal data for different purposes.