The legal basis for the processing of personal data
In the world of data protection, one of the fundamental issues is the legal basis upon which the processing of personal data is carried out. Within the framework of the General Data Protection Regulation (GDPR) of the European Union, there are several legal bases (Art. 6 GDPR) that allow organizations to collect, use, and share personal data in a legal and ethical manner. In this post, we will explore the different legal bases and their importance in data processing. Understanding and applying them correctly is essential for fulfilling other basic obligations such as data retention periods, drafting privacy policies, preparing the records of processing activites, etc.
Below we outline the legal bases applicable to private entities:
Consent of the Data Subject: the most common legal basis.
Consent is one of the most well-known and commonly used legal bases for the processing of personal data, although not the only one. According to the GDPR, consent must be freely given, specific, informed, and unambiguous, and individuals have the right to withdraw their consent at any time. It is important for organizations to obtain clear and explicit consent, never implied, before processing individuals’ personal data.
Although not the only legal basis, the lack of consent for data processing is often a major argument of the Spanish Data Protection Agency for imposing sanctions. A recent example is Orange being fined for providing an unauthorized third party with a copy of a SIM card without the holder’s consent.
Performance of a Contract to Which the Data Subject is a Party
Another legal basis for data processing is the performance of a contract. When data processing is necessary to fulfill a contract to which the individual is a party, no additional consent is required. However, the processing must be necessary for the performance of the contract and related to it.
Compliance with a Legal Obligation
Data processing may also be necessary to comply with a legal obligation to which the organization, company, or entity is subject to. This includes situations where processing is necessary for compliance with legal or regulatory obligations, such as fulfilling labor or tax obligations.
Legitimate Interest: the legal basis for marketing to existing customers.
Data processing may also be based on the legitimate interests pursued by the organization. However, it is important to balance these interests with the fundamental rights and freedoms of individuals. Organizations must conduct a Data Protection Impact Assessment (DPIA) to determine if their legitimate interests outweigh the privacy rights of individuals.
Among the legitimate interests as a legal basis is the use of data for marketing purposes, in relation to existing customers and to offer similar products or services from the same company with which there is a contractual relationship.
Protection of Vital Interests
In situations where data processing is necessary to protect the vital interests of the individual or another natural person, this legal basis may apply. For example, in cases of medical emergencies or life-threatening situations, organizations may process personal data without consent to protect the health and safety of the individuals involved.
Conclusion
In summary, understanding the legal basis for data processing is essential to ensure compliance with data protection regulations and protect the privacy rights of individuals. By selecting the appropriate legal basis, organizations can ensure that their data processing is transparent, ethical, and legally sound.
If you need more information, contact us!
Information on data protection
Company name
LEGAL IT GLOBAL 2017, SLP
Purpose
Providing the service.
Sending the newsletter.
Legal basis
Compliance with the service provision.
Consent.
Recipients
Your data will not be shared with any third party, except service providers with which we have signed a valid service agreement.
Rights
You may access, rectify or delete your data and exercise the rights indicated in our Privacy Policy.
Further information
See the Privacy Policy.