Consent as a legal basis for processing
First, GDPR allows for the processing of personal data when the data subject has given consent to such processing for one or more specific purposes. Consent must be given by a clear and affirmative action and must be freely given, specific, and unambiguous. If you are relying on the legal basis of consent, you must be able to show that you have obtained such consent. While checkboxes to indicate consent are acceptable according to Recital 32, pre-ticked checkboxes or silence do not work as they cannot be used to show an affirmative action that demonstrates consent. Consent should cover all processing activities for the same purpose or purposes. If the processing has multiple purposes, consent should be given for all of them.
Consent should be provided freely and data subjects have the right to withdraw consent at any time. In fact, it should be as easy to withdraw consent as it is to receive it. It is also important to note that a data subject revoking his or her consent does not affect the lawful processing of the data before that time. However, entities must ensure that no further processing of that data is performed after consent is withdrawn.
Second, you can process data when such processing is necessary for the performance of a contract to which the data subject is a party to or in order to take steps at the request of the data subject prior to entering into a contract under the contracts legal basis. Recital 44 clarifies that under the contracts legal basis, processing should be lawful where it is necessary in the context of a contract or the intention to enter into a contract. For example, if a consumer purchases shoes online, it would be lawful to process his or her shipping address to mail the shoes as part of this contract. However, using that address for marketing mail is not necessary to perform the contract and thus would not qualify for this legal basis. For more information on this legal basis, read our article on how contracts can be used to process data under GDPR.
Third, GDPR allows for the processing of personal data when such processing is necessary for compliance with a legal obligation to which the controller is subject. While GDPR does not require a specific law to be cited for each individual processing, the processing as a whole must have a basis in European Union or Member State law to qualify for this legal basis.
The legal basis of vital interests
Fourth, GDPR allows the processing of personal data when such processing is necessary in order to protect the vital interests of the data subject or of another natural person. In this case, “vital interests” are defined as interests which are essential for life. Examples of processing under this legal basis would include monitoring epidemics and their spread, natural disasters and humanitarian emergencies.
Public interests and official authority
Fifth, GDPR allows for data processing when such processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Lastly, GDPR allows for the processing of personal data when processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights or freedoms of the data subject which would require protection of personal data, in particular where the data subject is a child.