Under the General Data Protection Regulation (GDPR), the controllers must determine the legal basis for each purpose of data processing operations carried out under its responsibility (i.e. data processing carried out either by itself or by its processor).
The different legal bases for processing personal data are laid down in article 6 GDPR and include, among others, consent, legitimate interest, the performance of a contract and compliance with a legal obligation.
However, where special categories of data and/or data about criminal convictions are processed, controllers must pick an additoinal legal basis among those laid down in articles 9 or 10 GDPR.
Not considering the legal basis of processing beforehand may lead to various breaches of the GPDR and in particular, breach of individuals’ rights.