Lawfulness means that personal data must only be processed when organizations have a legal ground for processing the data. Lawfulness, therefore, requires that the data processing be allowed and carried out within the limits of the applicable laws. This may include data protection laws and other applicable rules and codes dealing with areas such as employment, competition, health, tax, or any other objectives of general public interest, depending on the particular case.
For the data processing to be lawful, it must be consistent with all applicable laws in particular circumstances. Concerning the applicable data protection laws, the processing of personal data will be considered lawful only when and to the extent one of the following legal grounds is met:
- Consent: the individual has given consent to the processing of their personal data for one or more specific purposes;
- Contract performance: the processing is necessary for the performance of a contract to which the individual is party or to take steps at the request of the individual before entering into a contract;
- Legal obligation: the processing is necessary for compliance with a legal obligation to which the organization is subject;
- Vital interest of individuals: the processing is necessary to protect the vital interests of the individual or another natural person;
- Public interest: the processing is necessary for the performance of a task carried out in the public interest or the exercise of official authority vested in the organization;
- Legitimate interest: the processing is necessary for the legitimate interests pursued by the organization or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the individual, which require personal data protection, in particular where the individual is a child.
