A business must only process personal data on the basis of one or more of the following legal grounds:

  • The individual has given their consent to the processing of their data for one or more specific purposes (Article 6(1)(a)).
  • It is necessary for entering into or performing a contract with the individual (Article 6(1)(b)).
  • It is necessary for compliance with a legal obligation to which the controller is subject (Article 6(1)(c)).
  • It is necessary to protect the vital interests of the individual or another person (Article 6(1)(d)).
  • It is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (Article 6(1)(e)).

It is necessary for the purposes of legitimate interests pursued by the controller or by a third party, except where these interests are overridden by the interests or the fundamental rights and freedoms of the individual which require protection of personal data (Article 6(1)(f)). Where a business wishes to rely on legitimate interests, it must identify the legitimate interests it is relying on in its privacy notice.