Lawfulness of processing
Processing is lawful only if and to the extent that at least one of the following conditions is met:
the data subject has consented to the processing of their personal data for one or more specific purposes;
the processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract;
the processing is necessary to comply with a legal obligation incumbent on the controller;
the processing is necessary to protect the vital interests of the data subject or another natural person;
the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
the processing is necessary to satisfy the legitimate interests of the controller or of a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject requiring protection of personal data, in particular where the data subject is a child.
Point (f) of the first paragraph shall not apply to processing by public authorities in the performance of their duties
Member States may maintain or introduce more specific provisions adapting the way the rules of this Regulation are applied to processing for the purposes of complying with points (c) and (e) of paragraph 1; to this end, they may specify specific requirements for processing and other measures to ensure lawful and proper processing, including for other specific processing situations referred to in Chapter IX.
The legal basis for the processing referred to in paragraph 1(c) and (e) must be established by:
Union law; or;
member state law applicable to the controller.
The purpose of the processing shall be defined in that legal basis or, in relation to the processing referred to in point (e) of paragraph 1, shall be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. That legal basis may contain specific provisions adapting the application of the rules of this Regulation, including the general conditions on the lawfulness of processing by the controller; the types of data processed; the data subjects; the entities to which and the purposes for which the personal data may be disclosed; the purpose limitation; the storage periods; and the processing activities and procedures, including measures to ensure lawful and appropriate processing, such as those for other specific processing situations referred to in Chapter IX. Union or Member State law must meet an objective of public interest and be proportionate to the legitimate aim pursued.
Where processing for a purpose other than that for which the personal data have been collected is not based on the data subject's consent or on a provision of Union law or of Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the purposes referred to in Article 23(1), the controller shall take into account, inter alia, when assessing whether processing for a different purpose is compatible with the purpose for which the personal data were initially collected:
any relationship between the purposes for which the personal data were collected and the purposes of the intended further processing;
the context in which the personal data have been collected, particularly as regards the relationship between the data subjects and the controller;
the nature of the personal data, in particular whether special categories of personal data are processed, in accordance with Article 9, and whether personal data on criminal convictions and offenses are processed, in accordance with Article 10;
The potential impact of the proposed further processing on data subjects;
the existence of appropriate safeguards, which may include encryption or pseudonymization.event.
