When is it possible to process personal data?
On this page
All processing of personal data must be based on a legal authority.
The purpose of the processing determines which authorization is appropriate.
No authority is more legitimate, more important or better than others.
Consent
It is often necessary to obtain the consent of an individual to collect and process personal data.
Consent must be:
informed and unambiguously
can be withdrawn at any time
If the processing of personal data is based on consent, it may only be processed for the purpose for which consent was obtained.
Consent is not applicable
In some cases, consent is not appropriate for the purpose of accommodation:
A government authority cannot rely on consent
Employer cannot rely on consent
The government and employers need to build on a different legal authority.
Processing is necessary
In some cases, the processing of personal data is necessary. In that case, consent is not required.
This may be the case when processing is:
Necessary for a contract Sometimes it is necessary to process personal data in order for the controller to comply with a contract. This can include employment relationship, for contracts with insurance companies and other situations where information about an individual is required before a contract is concluded.
Necessary for legal obligation The controller may process personal data if it is not possible to carry out legal obligations without it, or if other laws apply. For example, laws on money laundering or accounting laws.
Necessary because of a significant interest of an individual or a third party This may apply if an individual cannot give consent. For example, due to illness.
Necessary for the public interest or the exercise of public authority The authorization is primarily focused on the processing of personal data by the government. When authorities process information about individuals, they often do so on the basis of this authorization. This means, among other things, that authorities generally do not need the consent of an individual. However, it may be that the government needs to obtain consent according to other laws and regulations.
Necessary due to legitimate interests of the controller that does not override the data protection rights of the individual This authorisation is a balanced rule. Therefore, the legitimate interests of both the controller and the individual must be evaluated. This authorisation can form the basis for the processing of a number of personal data carried out by private controllers.
