Legal Basis #6
Description
Legal Basis
The principle of the GDPR is the general prohibition of processing personal data unless it is legitimized by a permissive provision of a legal regulation (prohibition with reservation of permission).
The legal basis sets out the scope and application of the processing of personal data. It must be regulated so precisely that it is foreseeable for the data subject and the purpose of the processing must be clearly stated and defined. Depending on the underlying legal basis, it is determined by Union law or the law of the Member State to which the controller is subject.
For the lawful processing of personal data, the “principles relating to processing of personal data” must be complied with. The controller is obliged to provide accountability and proof of compliance. Secondly, one of the six legality facts must be met for each processing purpose. It should be noted that consent may not be obtained as an legality fact if another legality fact would also apply.
In addition, legality requirements such as rights of the data subject (Art. 12-23 GDPR) or data security/ protection measures (Art. 32-39 GDPR) apply.
Exceptions to this legal basis are only possible in the context of specific processing situations (Art. 85 et seq. GDPR) by legislation of the Member States.
Based On
Art. 5
Art. 6
Art. 6 Para. 3
Comm. Art. 5 Rn. 6
Comm. Art. 6 Para. 1 Rn. 10
Comm. Art. 6 Para. 1 Rn. 24
References
Legality Facts
Examination Compatibility of Purpose
Principles Relating to Processing
Accountability
Art. 12-23
Art. 32-39
Art. 85-91