To process personal data, a lawful basis under Article 6 of GDPR is required.
You must select which one of the following grounds apply:
- Consent of the data subject- consent must be free and informed.
- Necessary for the performance of a contract
- Compliance with a legal obligation
- Necessary to protect the vital interests of a person
- Necessary for the performance of a task in the public interest
- The legitimate interests of a company or organisation (except where that interest is overridden by the rights of the data subject)
For Special Category data, you must satisfy a ground under article 6 and one of the grounds under article 9, which are:
- Explicit consent- the purpose of the data processing must be explained, and the data subject must actively consent.
- Processing is necessary to protect the vital interests of a person, where the data subject is incapable of giving consent
- Processing is carried out in the course of legitimate activities with appropriate safeguards by an non-profit religious philosophical or political body or trade union, and the processing relates to members or former members or persons who have regular contact with the body, and where the personal data are not disclosed outside the organisation without consent.
- Personal data with are manifestly made public by the data subject.
- Exercise or defense of legal claims or whenever courts are acting in a judicial capacity.
- Necessary for reasons of substantial public interest
- Necessary for purpose of preventative or occupational medicine, for assessment of working capacity of an employee, provision of health or social care, and on the basis of EU or Irish law and pursuant to a contract with a health professional.
- Processing is necessary for public health reasons, pursuant to law.
- Processing is necessary for public interest, historical, statistical or scientific archiving, pursuant to law.
Organisations must identify what type of data they are processing and establish the correct lawful basis or bases.Organisations should only collect personal data in the least intrusive manner.
By Lisa Quinn O’Flaherty
Solicitor at Fitzsimons Redmond