Article 6(1) GDPR sets out the conditions that must be satisfied for the processing of personal data to be lawful. These are:
- Consent of the data subject;
- Necessary for the performance of a contract with the data subject or to take steps preparatory to such a contract;
- Necessary for compliance with a legal obligation;
- Necessary to protect the vital interests of a data subject or another person where the data subject is incapable of giving consent;
- Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- Necessary for the purposes of legitimate interests.
Please visit: https://gdpr-info.eu/chapter-2/
Part 3, Chapter 2 of Bundesdatenschutzgesetz sets out the legal grounds for data processing.
Consent of the data subject is necessary to process data. In the case of sensitive personal data being processed, consent should explicitly specify the processing of such data.
The following conditions are required:
- An unambiguous and deliberate act by the user;
- The consent is recorded;
- The text of the consent is accessible to the user at any time; and
- The controller has informed the data subjects about their right to revoke consent at any time in the future.
Personal data can also be processed if permitted or prescribed by legal provisions.
A decision based solely on automated processing which produces an adverse legal effect concerning the data subject or significantly affects him or her shall be permitted only when authorized by law.