The legal bases for compliant data processing

Personal data of data subjects can only be processed compliantly by data controllers and other processors if there is a legal reason for the processing.

Consent

Personal data cannot be processed without the explicit consent of the data subject where other legal bases are not applicable (Article 5(1) of the Data Protection Law). Explicit consent should be freely given, specific, and informed (Article 3 of the Data Protection Law).

In case of the withdrawal of explicit consent by data subject, continuing processing by data controller which is not based on the other legal bases is deemed as processing against the rules of the Law and honesty.

Contract with the data subject

Personal data of each party to a contract may be processed by the other party provided that it is strictly necessary to execute or perform the contract, for example, processing personal information of an employee by an employer in order to execute an employment agreement (Article 5(2)(c) of the Data Protection Law).

Legal obligations

Personal data may be processed without the explicit consent of the data subject if it is required by law or is required for compliance with a legal obligation to which the data controller is subject to. Employers, for example, prepare and maintain personnel files, banks and financial organizations collect and disclose specific information, and employers report personal information of new employees to law enforcement agencies.

Interests of the data subject

Personal data can be processed to safeguard a person’s life or physical integrity, or to protect the life or physical integrity of anybody else who is bodily incapable of giving consent or whose consent would otherwise be ruled invalid. For example, location data from a missing person’s mobile device or CCTV records can be used to track down a missing person.

Public interest

The Data Protection Law does not consider public interest as a legal base to process personal data of a data subject. However, when analyzing the boundaries of independent press and the balance between the right to privacy and the right to freedom of expression, the Board considers public interest as a criterion.

Legitimate interests of the data controller

Personal data may be processed without a data subject’s explicit consent if such processing is necessary to the data controller’s legitimate interests; provided, however, that processing does not harm the data subject’s fundamental rights and freedoms (Article 5(2)(f) of the Data Protection Law). For example, the preamble of the Data Protection Law states that the owner of a company may process employee personal data to arrange job promotions, social rights, or in determining their role in the company’s restructuring, each of which constitutes legitimate interests of the company and do not harm the data subject’s fundamental rights and freedoms.

Legal bases in other instances

As per Article 5 of the Data Protection Law under the following conditions personal data can be processed without providing the explicit consent of the data subject:

• if the personal data is publicised by the data subjects themselves; and
• if  it is mandatory for the establishment, exercise, or protection of certain rights.