News top

Lawfulness of Processing

GDPR addresses a very important topic of lawful basis to processing data.

According to Article 6 of the regulation, there are six legal bases of doing so:

1) Consent

The data subject has to provide consent to the processing of his or her personal data for one or more specific purposes.

2) Contract

Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

3) Legal Obligation

Processing is necessary for compliance with a legal obligation to which the controller is subject.

4) Vital Interest

Processing is necessary in order to protect the vital interests of the data subject or of another natural person.

5) Public Interest

Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

6) Legitimate Interest

Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data, in particular where the data subject is a child.

Many of the lawful bases for processing depend on the processing being “necessary”. This does not mean that processing always has to be essential. However, it must be a targeted and proportionate way of achieving the purpose. The lawful basis will not apply if the company can reasonably achieve the purpose by some other less intrusive means. It is not enough to argue that processing is necessary because the firm have chosen to operate the business in a particular way. The question is whether the processing is a necessary for the stated purpose, not whether it is a necessary part of the company’s chosen method of pursuing that purpose.

The principle of accountability requires companies to be able to demonstrate that they are complying with the GDPR, and have appropriate policies and processes. This means that they need to be able to show that the company has properly considered which lawful basis applies to each processing purpose and can justify company’s decision.

Therefore, companies need to keep a record of which basis they are relying on for each processing purpose, and a justification for why they think it applies. There is no standard form for this, as long as they ensure that what they record is sufficient to demonstrate that a lawful basis applies. It is their responsibility to ensure that they can demonstrate which lawful basis applies to the particular processing purpose.

Are you prepared for an external audit of GDPR? If not really, don’t worry! You can be ready in a short time! Use our comprehensive GDPR self-assessment tool to generate your compliance evidence report with an easy-to-update progress tracker and action plan. You can now be confident and show the authorities that you take GDPR seriously and all the requirements are considered in your organization. Access the tool on and worry less when it comes to GDPR! All the evidence you need will be generated in one single report! Check it now:


A honlap utolsó módosításának időpontja: 2019.03.08