Ground for Data Processing

A legal ground is the basis the absence of which makes data processing inadmissible. The list established by the law is composed of 8 grounds:

● Data subject’s consent – a person’s voluntary, informed and clearly expressed consent to processing of his/her personal data. For example, agreeing to a web-page’s privacy policy, or signing a contract, that explains what data are processed and for what purposes, etc.
● Legal ground – data may be processed if this is directly envisaged by law .
● Compliance with statutory obligations – processing of data is necessary to comply with statutory obligations, for example, storage of data for a certain time for taxation purposes.
● Protection of a vital interest - it implies the cases when processing of data is necessary to save a person’s life or averting a serious risk to one’s health. For example, if during emergency a person’s life is at risk and in order to save him/her it is necessary to locate this person.
● Accessibility of information – implies the cases when information is public in accordance with the law or it was made public by the data subject personally. For example, a photo or contact details you share publicly on social network.
● Protection of an essential public interest – data may be processed in order to protect an essential public interest, such as prevention of a crime, protection of property or a child from undue influence, etc.
● Protection of a legitimate interest - processing of data on this ground is admissible in order to protect legitimate interests of a data controller or a third person if their interests prevail over the interest of securing the rights and freedoms of a data subject.
● Handling a data subject’s complaint or provision of a service – processing a person’s data in order to provide him/her with a service. For example, to deliver you an order, an organization needs to know your address. To be able to buy something on credit, the company needs to be informed about your income.
To avoid violation of the law, organization that processes your data must rely on at least one legal ground.