If you have a simple website with a separate contact form, you already collect personal data. Since the introduction of the GDPR, collecting personal data means that you have to meet various legal requirements. For example, you must have a legal basis or permission to collect the data.
In this article, we’ll tell you more about the grey area between these legal bases and the need to seek permission.
Six different legal grounds
There are six different legal grounds based on which personal data may be collected.
Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) | the data subject has given consent to the processing of his or her personal data for one or more specific purposes; |
(b) | processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; |
(c) | processing is necessary for compliance with a legal obligation to which the controller is subject; |
(d) | processing is necessary in order to protect the vital interests of the data subject or of another natural person; |
(e) | processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; |
(f) | processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. |
As an organisation or person, you are responsible for estimating if you can use one or more of these processing grounds.
Using the legal grounds within a Privacy Statement
When creating a Privacy Statement with Complianz, our wizard will ask you to indicate for what purpose personal data is processed via your website, and also what processing ground is being used. For these 8 purposes the following grounds are useful
- Contact – Through phone, mail, email and/or webforms
For this purpose, the most logical processing ground would be to ask for consent (a).
- Payments.
For this purpose, the most logical processing ground would be the Performance of a contract (b).
- Registering an account.
For this purpose, you must choose between Asking consent (a), Performance of a contract (b), or the Legitimate interests (f).
- Newsletters.
For this purpose, the most logical processing ground would be to ask for consent (a).
- To support services or products that a customer wants to buy or has purchased.
For this purpose, the most logical processing ground would be the Performance of a contract (b).
- To be able to comply with legal obligations.
For this purpose, the most logical processing ground would be Compliance with a legal obligation (c).
- Compiling and analyzing statistics for website improvement.
For this purpose, you must choose between Asking consent (a), or the Legitimate interests (f).
- To be able to offer personalized products and services.
For this purpose, the most logical processing ground would be to ask for consent (a).
In any case, by asking users for permission, you are on the safe side!
Source: Complianz.io