Valid purposes for processing (‘lawful basis’) under EU data protection law
Controllers must have a valid lawful basis for processing under EU data protection law in order to process personal data.
There are six lawful bases available for processing under GDPR. Processing special category data requires controllers to both identify a lawful basis for general processing and to meet an additional condition for processing that type of data.
No single basis is ’better’ or more important than the others — the most appropriate basis depends on the processing purpose and relationship of the controller to the individual.
“Lawful basis” and GDPR
The core requirement of data protection law is that information technology should be used only for purposes that benefit humanity. In order to achieve this goal, EU data protection law since its inception regards automated personal data processing as generally illegal unless the controller is able to identify a lawful base from it from a list of allowable basis for data processing. As a general rule, the list is exhaustive and Member States cannot add new principles or impose additional requirements.