Consents for transferring data outside of the eea
The transfer of personal data to countries outside of the european economic area is strictly prohibited unless:
The european commission believes the country in question has an adequate level of protection for personal data
One of the appropriate safeguards in the data protection legislation is implemented
If a specific exception applies
These restrictions have been put in place, as these countries are believed to not have an adequate level of protection for personal data.
Contract
This lawful basis is required if the processing of personal data is necessary for a contract you have with the individual or if the individual has asked for certain steps to be taken before entering a contract. This basis can be applied when:
→ processing is necessary
→ an organisation ensures an individual is competent to enter into a contract
→ a contract is identified as a lawful basis for processing
Legal obligation
This lawful basis is required if the processing of personal data is necessary for you to comply with the law. This basis will apply when:
→ an organisations purpose for processing is to comply with legal obligations
→ when the legal obligation can be identified
→ processing is necessary
Vital interests
This lawful basis is required if the processing of personal data is necessary to protect an individual’s life.
This basis will only likely apply in a medical emergency where processing medical data is required to protect a person’s life, but the individual is unable to give consent.
Public task
This lawful basis is required if the processing of personal data is necessary to perform a task in the public interest. This basis is usually applied to:
Public authorities
Organisations who carry out actions in the public interest
Necessary processing
When an individual does not have the right to erasure
Legitimate interest
This lawful basis is required if the processing of personal data is necessary for legitimate interests unless there is a reason to protect the personal data of data subjects, which overrides the legitimate interests. This basis can only be applied when:
A legitimate interest has been established
The processing is necessary
It has been demonstrated that there is a balance of the interests between the data subject and an organisation.
Summary
In this module, we have looked at lawful bases for processing and developed an understanding of what they are. The key things we have learnt are:
Understanding that all lawful bases apply to necessary data processing
Legal obligations and ensuring that a company complies with the laws set
Knowing what information can be shared and with who it can be shared
We have learnt when we need to apply a lawful basis and how to determine which one to apply, ensuring it is for the right purpose