The General Data Protection Regulation (GDPR) outlines the conditions under which there is a legal basis for processing personal data.
Legal Basis for Processing:
Articles 6 through 10 of the GDPR outline the various legal bases for processing along with specific conditions around things like consent, children's data, sensitive data and criminal conviction data.
Article 6: This article outlines the legal basis for processing personal data. It sets out six lawful bases for processing personal data, including obtaining the individual's consent, fulfilling a contractual obligation, complying with a legal obligation, protecting the vital interests of the individual or others, performing a task carried out in the public interest, or pursuing legitimate interests.
Article 7: This article outlines the conditions for obtaining valid consent for processing personal data. It requires that consent must be freely given, specific, informed, and unambiguous, and that individuals must be provided with a clear and accessible way to withdraw their consent at any time.
Article 8: This article outlines the conditions for processing personal data of children. It requires that for children under the age of 16, parental consent must be obtained before processing their personal data for information society services, unless the child is at least 13 years old and capable of giving consent.
Article 9: This article outlines the processing of special categories of personal data. It prohibits the processing of certain types of sensitive personal data, including data relating to an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, or data concerning health, sex life, or sexual orientation. However, there are exceptions for certain purposes, such as for medical treatment, employment, or public interest.
Article 10: This article outlines the processing of personal data relating to criminal convictions and offenses. It requires that processing of this type of personal data must be carried out under the control of official authority or authorised by EU or Member State law, with appropriate safeguards in place to protect individuals' privacy rights.