There are six legal grounds for processing which can be found a article 7 of the EU GDPR (https://advisera.com/eugdpracademy/gdpr/lawfulness-of-processing/). These six legal grounds are:
- Consent - The individual has given consent to the processing for one or more specific purposes;
- Necessary for performance of a contract - The processing is necessary for the performance of a contract with the individual or in order to take steps at the request of the individual prior to entering into a contract;
- Legal obligation - The processing is necessary for compliance with a legal obligation to which the controller is subject. Only legal obligations under Union or Member State law will satisfy this condition. However, that law need not be statutory (e.g. common law obligations are sufficient);
- Vital interests - The processing is necessary in order to protect the vital interests of the individual or of another natural person . This is typically limited to processing needed for medical emergencies;
- Public functions (public interest) - The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Those functions must arise under Member State or EU law; or
- Legitimate interests - The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Public authorities cannot rely on this condition.