Lawful bases for processing of personal data

In order to process personal data, there must be a lawful basis for the processing. Without this, the processing is not considered legal according to GDPR. There is no general lawful basis that applies to all processing activities at KI, it can vary within different business areas and departments within KI. Here is a brief description of the six lawful bases that are being mentioned in GDPR.

Consent from the data subject

The data subject has given consent to the processing of his or her personal data for one or more specific purposes. Note! In many cases, it is not appropriate or perhaps not even possible to rely on a consent given by the data subject to an authority. Furthermore, a consent must always be possible for the data subject to revoke, which may mean that personal data no longer can be processed. Therefore, always consider if you can use some of the other lawful basis for the processing of personal data.

Performance of a contract

If processing of personal data is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract. This could be the lawful basis when processing personal data of an employee to fulfill the obligations in the employment contract.

Compliance of a legal obligation

There are laws and regulations that requires KI to process certain personal data in order to meet these legal obligations. An example of this is processing of personal data that might occurs in connection with KI's accounting since KI has to comply with the Bookkeeping Act.

Protect vital interests

Processing is lawful if the processing is necessary in order to protect vital interests of the data subject or of another natural person, for example if the data subject is unconscious.

Public interest or exercise of authority

Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Legitimate interests

Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. (Legitimate interests are not a lawful basis for the processing of personal data performed by KI as a part of our task as an authority).

Authorities will mainly use some of the following lawful bases:

  • Legal obligation
  • Public interest or exercise of authority
  • Performance of a contract