In order to legally process personal data a legal basis must be applicable under Art. 6 GDPR
Processing shall be lawful only if and to the extent that at least one of the following applies:
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
The most commonly used basis for processing is the performance of a contract or the processing that is necessary for the entering into of a contract. Secondly, legitimate interest allow for many of the less invasive personal data processing such as in the context of marketing. Only when the legitimate interest does not allow for the processing based on the weighing of all factors involved then the consent of the data subject is sought.
Legitimate interest and consent as legal basis of the processing however, result in further rights such as the right to withdraw consent or object to the processing based on the individual circumstances of the individual. Thus, it is important that consent and legitimate interest is properly documented and managed.