Processing personal data lawfully means that personal data must be processed only if there is a valid legal basis for doing so under data protection laws, such as the GDPR. This lawful basis ensures the processing is legal, fair, and transparent. According to GDPR, there are six lawful bases for processing personal data:
- Consent: The individual has given clear, explicit, and voluntary consent for their data to be processed for a specific purpose.
- Contract: Processing is necessary to fulfill or enter into a contract with the individual.
- Legal obligation: Processing is required to comply with a legal duty.
- Vital interests: Processing is necessary to protect someone's life.
- Public task: Processing is necessary to perform a task in the public interest or in official authority.
- Legitimate interests: Processing is necessary for legitimate interests pursued by the controller or a third party, provided these are not overridden by the individual’s rights and freedoms.
Processing must also be necessary for the intended purpose, meaning there is no less intrusive way to achieve the same aim. Without one of these lawful bases, processing personal data is considered unlawful.
