For processing to be lawful under the GDPR, you need to identify a legal basis before you can process personal data. These are often referred to as the “conditions for processing” under the DPA.
It is important that you determine your legal basis for processing personal data and document this. This becomes more of an issue under the GDPR because your legal basis for processing has an effect on individuals’ rights. For example, if you rely on someone’s consent to process their data, they will generally have stronger rights, for example to have their data deleted.
Conditions for special categories of data
Explicit consent of the data subject, unless reliance on consent is prohibited by EU or Member State law2]
Processing is necessary for carrying out obligations under employment, social security or social protection law, or a collective agreement3]
Processing is necessary to protect the vital interests of a data subject or another individual where the data subject is physically or legally incapable of giving consent4]
Processing carried out by a not-for-profit body with a political, philosophical, religious or trade union aim provided the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes) and provided there is no disclosure to a third party without consent5]
Processing relates to personal data manifestly made public by the data subject
Processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in their judicial capacity7]
Processing is necessary for reasons of substantial public interest on the basis of Union or Member State law which is proportionate to the aim pursued and which contains appropriate safeguards8]
Processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional9]
Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of healthcare and of medicinal products or medical devices10]
Processing is necessary for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes