Lawfulness of personal data processing


Personal data may be processed by the data controller based on statutory grounds. These conditions are set out in detail in Article 6 of the GDPR Regulation.

When may personal data be processed?

Pursuant to Article 6 of the GDPR, personal data may be processed if:

  • the data subject consents to it, unless it concerns the deletion of data relating to him,
  • it is necessary to exercise an entitlement or fulfill an obligation resulting from a legal provision,
  • it is necessary for the performance of the contract when the data subject is its party or when it is necessary to take action before concluding the contract at the request of the data subject,
  • it is necessary to perform tasks specified by law for the public good,
  • it is necessary to fulfill legally justified purposes pursued by data controllers or data recipients, and the processing does not violate the rights and freedoms of the data subject.

All the above-mentioned conditions are equal and the fulfillment of any of them entitles to data processing.

Legality of personal data processing - what should you pay attention to?

The first premise, i.e. the consent of the data subject, is the most frequently used basis for data processing. However, it should be remembered that all premises are equal.

Due to the fact that consent is the most frequently used basis for data processing in trade, it will be given a bit more attention. Please note that:

  • According to the Act, consent may not be presumed or implied from declarations of will of a different content, i.e. it should be explicit,

  • Consent should be clear and concrete. The person giving consent should know what data are meant as well as the purposes for which the data will be used,

  • The consent may not be blank and refer to unspecified personal data processed for unspecified purposes,

  • The consent may be withdrawn at any time.

To sum up, consent must be explicit and all its aspects should be clear to the signatory at the time of expression.

Consent to the processing of personal data in the form of a declaration of will must be given consciously, clearly and - importantly - freely. It happens that consent clauses are included in the content of contracts, regulations or other statements.

By including clauses of consent to the processing of personal data in the content of the regulations or other declarations of will, the data subject has no chance to freely grant this consent. The consumer ordering goods or services is obliged to accept the entire regulations, including consent, even if he or she does not wish to express it, in order to fulfill the order. In this case, the person is deprived of the freedom to consent to the processing of his personal data.

The correct solution will be to separate clauses regarding consent to the processing of personal data from other declarations of will, so as to leave the person who is to give consent the freedom to make a decision in this regard.

Summing up, it should be remembered that the provisions state that the processing of personal data is legal when at least one of the conditions mentioned by them is met. When verifying the legality of the processed data, the data controller processing personal data should always refer to the grounds for their legal processing, as specified in the GDPR Regulation.