Data protection is a fundamental right as set out in Article 8 of the EU Charter of Fundamental Rights, which states;
Everyone has the right to the protection of personal data concerning him or her.
Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned, or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
Compliance with these rules shall be subject to control by an independent authority.
Which means every individual is entitled to have their personal information protected
used in a fair and legal way
made available to them when they ask for a copy
. If an individual feels that their personal information is wrong, they are entitled to ask for that information to be corrected.
Data protection is a fundamental right as set out in Article 8 of the EU Charter of Fundamental Rights.
In order to process personal data, organisations must have a lawful reason.
The lawful reasons for processing personal data are set out in Article 6 of GDPR. The six reasons for processing data are:
The data subject has given permission for the organization to process their personal data for one or more processing activities. Consent must be freely given, clear, and easy to withdraw, so organizations need to be careful when using consent as their legal basis. For example, the age of automatically-checked consent boxes is coming to an end through GDPR.
Performance of a Contract
Self-explanatory, right? The data processing activity is necessary to enter into or perform a contract with the data subject. If the processing activity does not relate to the terms of the contract, then that data processing activity needs to be covered by a different legal basis.
This is a processing activity that a data subject would normally expect from an organization that it gives its personal data to do, like marketing activities and fraud prevention. If legitimate interest is used as a legal basis for processing, the organization must perform a balancing test: is this processing activity necessary for the organization to function? Does the processing activity outweigh any risks to a data subject’s rights and freedoms? If the answer to either of those questions is “no,” then the organization cannot use legitimate interest as its legal basis for processing.
A rare processing activity that could be required to save someone’s life. This is most commonly seen in emergency medical care situations.
The processing activity is necessary for a legal obligation, such as an information security, employment or consumer transaction law.
A processing activity that would occur by a government entity or an organization acting on behalf of a government entity.