The Legal Bases for Processing Personal Data

The Legal Bases for Processing Personal Data

Under the General Data Protection Regulation (GDPR),  the controllers  must determine the legal basis for each purpose of data processing operations carried out under its responsibility (i.e. data processing carried out either by itself or by its processor).

The different legal bases for processing personal data are laid down in article 6 GDPR and include, among others, consent, legitimate interest, the performance of a contract and compliance with a legal obligation.

However, where special categories of data and/or data about criminal convictions are processed, controllers must pick an additoinal legal basis among those laid down in articles 9 or 10 GDPR.

Not considering the legal basis of processing beforehand may lead to various breaches of the GPDR and in particular, breach of individuals’ rights.

Record of Processing Activities

Record of Processing Activities

Under the European General Data Protection Regulation (GDPR), organisations processing personal data must maintain a record of their processing activities (ROPA) unless an exemption applies.

However, the type of information to maintain in this record differs depending on whether the organisations act as a controller or as a processor with regard to a specific processing activity.

Besides, some of the processing activities recorded may also be subject to a data protection impact assessment (DPIA), which requires additional information (see here).