The GDPR - the General Data Protection Regulation - puts in place a lot of rules for gathering and using personal data. But it also puts strict limits on who can collect personal data at all. You need to have a “lawful basis” in order to process personal data under the GDPR.
These legal justifications include:
1. Consent!
This means the consumer or user has agreed to the processing of her data for some purpose. Like when you consent to being sent a newsletter.
2. Performance of a contract
If the data is necessary for the performance of a contract - in other words, the company needs some personal data to do something they agreed to do. For example if a customer buys goods, his name and address need to be used for shipping.
3. Legal Requirement
A company can process personal data if it’s necessary for compliance with a legal obligation. Like sending employee data to a tax agency.
4. Vital Interests
Data can be processed if it’s necessary to protect the vital interests of the data subject or of another person. Like processing health information for someone who needs urgent medical attention;
5. Public Interest or Official Authority
An entity can process personal data if it’s necessary for a “task carried out in the public interest” or to exercise some official authority. Like a census bureau gathering data on its citizens.
6. Pursuing Legitimate Interests
This is a catch-all, allowing for other reasons to process personal data. However, this requires the company to jump through more hoops.
They need to:
- Identify a legitimate interest;
- Show that the processing is necessary to achieve this interest;
- And balance the purpose against the individual’s interests, rights and freedoms.
So that’s it! The GDPR requires a legal reason why a company might process (gather and use) personal data.