Consent not always required for data processing: the different bases

Consent of affected person.

The way consent is sought must meet four requirements.

• Freely given. A person should not be pressured to give consent, or disadvantaged for not giving consent.

• Unambiguous. It must be clear that consent has been actively given. This means, for example, no pre-ticked boxes.

• Informed. Data subjects should be informed about the identity of the organization, the purpose of the processing, what data is collected and used, and the right they have to withdraw consent.

• Specific. Consent must be for a specific processing and purpose. This may not be changed or extended.

In addition, it must be easy to withdraw consent again (e.g., a clear unsubscribe link) and it must be possible to prove that consent was given.

Parental consent is required to process data of children under 16 years of age.

Data processing is necessary for the performance of a contract.

An agreement has been made and the processing of personal data is necessary for this purpose. The agreement itself may not be aimed at processing personal data, but must have some other purpose. For example, it may involve processing address data to send a product sold. Address data is needed to process the purchase.
The data may not be processed for other purposes, such as analysis, on this basis.

Data processing is necessary for the fulfillment of a legal obligation.

The processing is necessary to comply with a legal obligation. Examples include an order from the police to provide personal data. This may also include storing personal data of employees. For example, it is a legal requirement to include a copy of an identity document in payroll records.

Data processing is necessary to protect vital interests.

This basis will not be able to be used much and this should only be done if no other basis is possible. A vital interest is at issue if a person's life or health is at stake and consent cannot be sought. This only applies in the case of medical treatment

Data processing is necessary for the performance of a task in the public interest or the exercise of public authority.

Invoking this basis is only possible if you are performing a public task for the public interest or public authority. It must be clear that the data processing is based on a specific legal task and the processing must be necessary to fulfill that task. An example is the installation of cameras by the municipality for public safety.

Data processing is necessary for the protection of legitimate interests.

Three conditions must be met for data to be processed on this basis.

• Justified interest: the interest must be legitimate, clearly articulated and genuinely present. For example, keeping personnel records.

• Necessity: the processing must be necessary and tested against the requirements of proportionality and subsidiarity. Thus, the purpose of the processing must be proportionate to the violation of the person concerned and the purpose must not be achievable in a less harmful way.

• Balancing interests: a balance must be made between your interests and the interests of the persons whose personal data you are processing. If necessary, measures must be taken to ensure that the rights and freedoms of the persons concerned do not outweigh the legitimate interest. Retaining the data should also not be longer than necessary for the purpose of processing.

Processing data for direct marketing may fall under this basis. However, conditions must be met and there must be an opt-out possibility. Preventing fraud or ensuring the information security of networks, also falls under a legitimate interest.

Government agencies may not rely on this basis.

Accountability

In all cases, make sure that it can be substantiated what the basis is based on. Accountability applies under the AVG. It must therefore always be possible to demonstrate that the processing complies with the main principles.