Legal basis for processing

To comply with the principle of lawfulness the controller must process the data in accordance with at least one of the legal grounds regulated in Article 6 of the GDPR. Specifically:

1. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
3. processing is necessary for compliance with a legal obligation to which the controller is subject;
4. processing is necessary in order to protect the vital interests of the data subject or of another natural person;
5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
6. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Where processing is necessary for compliance with a legal obligation (point c.) or for performance of a task carried out in the public interest or in the exercise of official authority (point e.), the legal grounds for processing must be provided for in Union law or the law of the Member State which, in our case, must be a regulation having the force of Law.  

Legitimate interest does not apply to processing performed by public authorities in the exercise of their public powers.

Processing of special categories of personal data (Article 9, GDPR) is permitted when:

1. the processing is conducted with the data subject’s explicit consent, except where this is prohibited by a Union or Member State;
2. processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law;
3. processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
4. processing is carried out in the course of the legitimate activities with appropriate safeguards by a not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body;
5. processing relates to personal data which are manifestly made public by the data subject;
6. processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
7. processing is necessary for reasons of substantial public interest;
8. processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment, when those data are processed by or under the responsibility of a professional or other person subject to the obligation of professional secrecy;
9. processing is necessary for reasons of public interest in the area of public health;
10. processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

Processing of personal data relating to criminal convictions and offences may be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects (Article 10, GDPR).