The Regulation assumes that data processing is illicit if there is no legal basis consenting it.
The consent is no longer the only legal basis. There are other basis which are placed on an equal footing to consent. The legal basis is different whether it deals with general or sensitive data.
The legal basis for general data can be represent by one of the following points (art. 6.1):
- Consent of the data subject;
- Processing required for the performance of a contract or of pre-contractual measures (e.g. sending an estimate);
- Processing required for fulfilling a legal obligation;
- Processing required to protect the vital interests of the data subject or of another natural person;
- Processing required for the performance of a task carried out in the public interest or related to the exercise of official authority;
- Processing required for a legitimate interest of the controller if the interest and the rights of the data subject are not overriding.
The processing which could be considered licit for the exercise of a legitimate interest includes direct marketing if it is performed for clients that may wait for such a communication on account of the relation between the parts. Anyway, the data subject should always be informed of his/her right to oppose this processing with the opt-out.
The legal basis for sensitive data can be represent by one of the following points (art. 9.2):
- Explicit consent of the data subject;
- Processing required for carrying out the obligations or exercising rights in the field of labor and social security law in so far as it is authorized by Union law;
- processing required to protect the fundamental rights of the data subject or of another natural person;
- processing carried out in the course of its legitimate activities and with appropriate safeguards by a foundation, association or a not-for-profit body with a political, philosophical, religious or trade union aim on condition that the processing relates to former members or persons having contacts with the body itself.
In the case art. 6.1 foresees greater guarantees than art. 9.2, also predictions of the first article in addition to the second will apply to sensitive data processing.