GDPR defines six conditions for a lawful basis for processing personal data, of which at least one of them must apply. There are, for example, vital interest (you need a person’s personal data in order to protect their life), public task (applies to official authorities or if you act in the public interest), contract (you need to process data in order to fulfill a contract with that individual) and three others who apply more specifically to your business:
- Consent: your client has given you clear consent to process their personal data for a specific purpose.
- Legal obligation: the processing is necessary for you to comply with the law – this includes if you need to store a client’s medical information for insurance reasons.
- Legitimate interest: processing your client’s data is in your (or their) legitimate interest since you wouldn’t be able to do great work without it.