Data controllers can only process personal data in one of the following circumstances:
- with the consent of the individuals concerned;
- where processing is necessary for the performance of a contract (a contract between your organisation and an individual);
- to meet a legal obligation under EU or national legislation;
- where processing is necessary for the performance of a task carried out in the public interest under EU or national legislation;
- to protect the vital interests of an individual;
- for your organisation’s legitimate interests - except where they are overridden by the rights and freedoms of individuals.
In addition, the GDPR establishes additional conditions for the processing of sensitive data.
More information: