Lawful Basis: Contract

There is a lawful basis for personal data processing when the personal data of an individual is required to fulfill a contract obligation or when the individual asks an organization to do something before entering in a contract.
This does not apply when it is reasonably possible to achieve the same goal without processing the personal data.
As always, the action should be documented for justification about the why and how the personal data was gathered and processed.

Contracts

When the personal data processing is required for a contract with an individual, a separate consent is not required.
This is quite simple and straightforward.

When in a special category data is necessary for the contract, then it is also required to identify a separate condition for processing this data.

When the contract is with a child under 18, the organization must consider whether they have the necessary competence to enter into the contract. When in doubt, another lawful basis could be applied, for instance, legitimate interests if it demonstrates that the child’s rights and interests are properly considered and protected.

Rights

When personal data is being processed on the basis of contract, the individual’s right to object and the right not to be subject to a decision based solely on automated processing does not apply. However, the individual has the right to data portability.

Need Help with GDPR?

Get in touch with us if you need help on the subject.

What is GDPR?

GDPR stands for General Data Protection Regulation and, legally, it’s the EU 2016/679 regulation about protection of personal data.

GDPR defines the rights and obligations regarding the gathering, processing and movement of EU citizens personal data. It provides a high and coherent protection level, equivalent in all member states, and is extensible to external EU organizations that work with EU citizens personal data.

The obligations related to the manipulation of personal data now cover things like the right to be forgotten and organizations are now obligated to inform the regulator when they have a personal data breach.

So, what is “personal data”?

In a simple way, it’s all the data about a person that an organization collects, stores and transmits: web forms, cookies, user preferences, medical reports, receipts, etc.. GDPR enforces the lawful, fair and transparent processing of the personal data in relation to the data subject.
In the GDPR legislation, personal data is defined as

any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity

Check Article 4 for detail.

How about highly sensitive data?

GDPR takes into consideration special types of data that are highly sensitive, such as health, criminal convictions, sexual life, political, genetical, etc.. In such cases, special rules are applicable.

Check Article 9 for detail.

Who does this applies to?

This applies to all people and organizations that collect, gather, transmit or process in any way European Union citizens personal data. Yes, this means that non-EU organizations must comply with this regulation when dealing with EU citizens.

Micro, small and medium-sized organizations have a somewhat relaxed compliance levels. It includes a derogation for organizations with fewer than 250 employees with regard to record-keeping.

Public and criminal law organizations are covered by special rules since they address specific national and European issues.

How hard is it for me to comply with GDPR?

As it’s obviously understandable, it will depend on how big your organization is, what it does and how it already addresses the personal data processing.

The best map road for compliance starts with an assessment performed by a multidisciplinary team composed by GDPR certified people, GDPR knowledgeable lawyers and a pragmatic IT team that truly understands GDPR.

Get in touch with us if you need help on the subject.