Processing is lawful only if, and to the extent that, one of the following applies:
- The data subject has given their unambiguous consent to the processing of their personal data for one or more specific purposes.
- Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject before entering into a contract.
- Processing is necessary for compliance with a legal obligation to which the controller is subject.
- Processing is necessary in order to protect the vital interests of the data subject or of another natural person.
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- Processing is necessary for the purposes of legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject that require protection of personal data, in particular where the data subject is a child. (This basis does not apply to processing carried out by public authorities in the performance of their tasks.)
You do not need consent if you rely on one of the other bases for processing.
In fact, consent is arguably the weakest lawful basis for processing because it can be withdrawn at any time. When consent is withdrawn, your organisation will be obliged to erase the individual’s data if they request you to – unless you can demonstrate a lawful reason to retain it.
It is therefore always worth determining whether another lawful basis for processing can apply.
In many cases, organisations will be able to rely on ‘legitimate interests’. As the most flexible of the six lawful bases for processing, it could theoretically apply to any type of processing carried out for any reasonable purpose, although the onus will be on you to balance your legitimate interests against the interests, rights and freedoms of the data subjects.
Whichever lawful basis for processing you deem appropriate for each processing activity, your organisation must keep a record of it.