Every contract, by definition, means that personal data is processed. You cannot enter into a contractual relationship without providing personal data and identifiers depending on the type of contract. At least this concerns contact information, for certain types of contracts such as an insurance contract, much more is required. It is best not to expand the definition of a contract too much, for example to avoid consent. Ultimately, everything can be considered a contract, and there will be cases where controllers will take far too broad an approach to use a contract as a basis for lawful processing. The controller may process personal data in order to comply with a legal obligation. Legal obligations may apply equally to controllers in the private and public sectors and may include, for example, the obligation for an employer to report the salary information of its employees to the tax authorities or the obligation for financial institutions to report suspicious transactions to the authorities. Consent of the data subject. The data subject`s consent is any free, specific, informed and unambiguous indication of the data subject`s wishes by which, by a statement or by a clear affirmative action, he or she consents to the processing of personal data concerning him or her. The legal basis is governed by Article 6 GDPR. For data protection purposes, a “legal basis” (also known as a legal basis) means the legal justification for processing personal data. One or more valid legal bases are required in all cases where personal data must be lawfully processed in accordance with data protection legislation.

There is no hierarchy or preferred option in that list, but any processing of personal data should be based on the most appropriate legal basis in the specific circumstances of that processing. The legal basis also influences the rights of data subjects that apply. Article 6 of the GDPR states that the data subject`s consent must be given in relation to “one or more specific purposes” and that a data subject has a choice in relation to each of them. It is clear: specific objectives. In addition to all the information obligations, the different rights of data subjects after consent as a legal basis for processing and much more, it is not always the ideal choice, to say the least. However, the GDPR and its various legal bases for lawful processing are not like a menu. The rule is and remains that, for the purposes of all personal data processing activities, the most appropriate legal basis is chosen for each purpose/activity. Consent: The data subject has consented to the processing of personal data. N.B. In many cases, it is not appropriate or even possible to base processing on the consent of the data subject.

You should therefore always first check whether you can base the processing of personal data on one of the other legitimate grounds. (a) Consent: The individual has clearly consented to you processing their personal data for a specific purpose. The possible legal bases for the processing of non-sensitive personal data are as follows: In the articles of the GDPR, consent is mentioned for the first time as the legal basis for the lawfulness of the processing of personal data in Article 6 and recital 40. U.S. laws generally allow the processing of personal data by default, and companies are not required to demonstrate a “legal basis” as required by the data protection laws of other jurisdictions, with some exceptions (e.g., COPPA generally requires verifiable parental consent prior to the online collection of personal information from children under the age of 13 and the Virginia Consumer Data Protection Act, the Colorado Privacy Act and the Utah Consumer Privacy Act prohibit the processing of sensitive information without consent). Based on changes to the CPRA effective January 1, 2023, the CCPA will require companies to limit the collection, use, storage and disclosure of California residents` personal information to what is “reasonably necessary and proportionate to fulfill the purposes for which the personal information was collected or processed. or for any other disclosed purpose, which is consistent with the context in which the personal data was collected. and are not further processed in a manner incompatible with those purposes, Cal.