Lawful processing | Data Protection Commission (2024)

FAQs

Which of the following is a lawful reason to process personal data answer? ›

The processing is necessary to comply with a legal obligation. The processing is necessary to protect the data subject's (or another person's) vital interests. The processing is necessary to perform a task in the public interest or in exercise of official authority.

There are six available lawful bases for processing. No single basis is 'better' or more important than the others – which basis is most appropriate to use will depend on your purpose and relationship with the individual. Most lawful bases require that processing is 'necessary'.

☐ We only handle people's data in ways they would reasonably expect, or we can explain why any unexpected processing is justified. ☐ We do not deceive or mislead people when we collect their personal data. ☐ We are open and honest, and comply with the transparency obligations of the right to be informed.

From 21 March 2024, the old versions of the "Standard Contractual Clauses" (SCCs) issued by the European Commission under the 1995 Data Protection Directive (old EU SCCs) will no longer provide a valid mechanism for UK based organisations to export personal data.

Lawfulness, fairness, and transparency: Any processing of personal data should be lawful and fair.

If the data subject, a.k.a. natural person, consents to processing without knowing the (several) purpose(s) in full and in an easy to understand way, then consent is not a legal ground for processing as it's by definition not freely given, specific, informed and unambiguous.

Lawfulness. Processing is lawful if it is based on one of the legal grounds listed in art. 6 of the GDPR. The most prominent of these legal grounds is consent, but other grounds are also available, including legitimate interest.

For example, if you are getting specific consent for the new purpose, your lawful basis will be consent. If you are relying on a legal provision requiring the new processing in the public interest, your lawful basis will be legal obligation.

Collection of personal information must be for a specifically defined, lawful purpose related to a function of the responsible party Data subject must be aware of the purpose of collecting data The purpose for processing personal information must be clear Record retention must not be longer than necessary unless ...

What is the seventh condition for lawful processing? ›

Condition 7: Security Safeguards

Physical and technical security safeguards must be considered and implemented together with organisational measures such as security processes and procedures. Both electronic and hard copy records of personal information must be secured.

Article 6 of the General Data Protection Regulation (GDPR) sets out what these potential legal bases are, namely: consent; contract; legal obligation; vital interests; public task; or legitimate interests.

The SCCs reflect new requirements of the GDPR, including enhanced transparency obligations and more detailed clauses on data subject rights, data breach notification and rules for onward transfers.

To conclude, under the implementing decision of the New SCCs, using them is sufficient and replaces the need for a DPA under Articles 28(3) and (4) to the GDPR, in data transfer cases.

The clause 13 (Supervision) of SCCS.

Data exporter is established within the EEA; 2. Data exporter is established outside the EEA but is nevertheless subject to the GDPR and has appointed an authorized representative in the EEA pursuant to Art.

When is the lawful basis for contracts likely to apply? You have a lawful basis for processing if: you have a contract with the individual and you need to process their personal data to comply with your obligations under the contract.

The three legal bases most relevant in the employment context are performance of a contract, compliance with a legal obligation and legitimate interests of the employer. Many employers have relied on consent as a basis for processing employee data.

Article 22(4) says that you cannot use special category data for solely automated decision-making (including profiling) that has legal or similarly significant effects, unless you have explicit consent or meet the substantial public interest condition.

What is the right to object? You have the right to object to an organisation processing (using) your personal data at any time. This effectively means that you can stop or prevent the organisation from using your data.