The Privacy Suite for WordPress

What is a lawful basis for Data Processing?

Get compliant today in the European Union, United States, Canada, United Kingdom, Australia & South Africa with the only Privacy Suite for WordPress that offers a fully-featured plugin for Worldwide Compliance.

Share on facebook
Share on twitter
Share on linkedin

Principles of collection of personal data: from legal basis to consent

If you have a simple website with a separate contact form, you already collect personal data. Since the introduction of privacy laws such as the GDPR, collecting personal data means that you have to meet various legal requirements. For example, in the UK, the EU, and Brazil you must have a legal basis to collect or process the data.

Six different legal grounds

For the EU and the UK, there are six different legal grounds on which personal data may be collected or processed.

Processing shall be lawful only if and to the extent that at least one of the following applies:

(a)

the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(b)

processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(c)

processing is necessary for compliance with a legal obligation to which the controller is subject;

(d)

processing is necessary in order to protect the vital interests of the data subject or of another natural person;

(e)

processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f)

processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

As an organization or person, you are responsible for estimating if you can use one or more of these processing grounds.

Additional legal grounds in Brazil

(a)

It is necessary to carry out studies by a research body, ensuring, whenever possible, the anonymization of personal data.

(b)

It is necessary for the regular exercise of rights in judicial, administrative or arbitration proceedings.

(c)

It is necessary for the protection of health, exclusively, in a procedure performed by health professionals, health services, or health authorities.

(d)

It is necessary for credit protection.

Using the legal grounds within a Privacy Statement

  • Contact – Through phone, mail, email and/or webforms
For this purpose, the most logical processing ground would be to ask for consent (a), although the Performance of a contract (b) is also possible in the case of delivering ordered goods to an adress.
For this purpose, the most logical processing ground would be the Performance of a contract (b).
For this purpose, you must choose between Asking consent (a),  Performance of a contract (b), or the Legitimate interests (f).
For this purpose, the most logical processing ground would be to ask for consent (a).
For this purpose, the most logical processing ground would be Compliance with a legal obligation (c).

In any case, by asking users for permission, you are on the safe side!

 

The Privacy Suite for WordPress
Get compliant today with the only Privacy Suite made for WordPress
Dr. Mathieu Paapst LLM cipm

Dr. Mathieu Paapst LLM cipm

Expert IT and Privacy Law

Related articles

Join our mailing list - 8 Tips & Tricks in your inbox over the next 8 weeks!