Grounds for processing data
When you process personal data, you must comply with the requirements of the GDPR.
It is important that you have a certain basis for the processing. In other words, you need a certain reason why you should be allowed to use personal data. At least one of the following bases must apply to the processing:
- You have obtained permission from the person about whom the information is going to be used, for a specific purpose (e.g., if that person wants to become a member of something);
- You have an agreement with the person about whom the information is about, and you have to fulfill commitments from that agreement (e.g. delivering an ordered product, you need to know to which address to take it);
- You have to comply with an obligation under the law (e.g., keeping financial records for the Tax Office);
- You are trying to protect someone’s life (e.g., doctors have to process data to arrange the best care for their patients);
- You have to process data for the whole community, in the public interest or exercise of public authority (e.g., the municipality installing camera surveillance to make sure everyone on the street is safe);
- You need to make sure things are fair and proper, these are also called legitimate interests (e.g., to prevent fraud, you need certain data).
So, in a nutshell, you need one of the following reasons: consent, an agreement, a legal duty, another person’s vital interests, a public interest or a legitimate interest.
If you do not have a good reason to use someone’s personal data, you are usually not allowed to use that data. There must always be a reason that allows you to use the data. This is stated in the General Data Protection Regulation. So, before you can use someone’s data, you need to make sure there is a good reason to do so.