SUGGESTION Judges invoke legal principles such as these to interpret laws and fill in the actual or potential legal gaps when addressing legal disputes.90 Similarly, data protection principles may support SMEs in better understanding the other provisions of the GDPR that they are required to comply with. For example, the obligation of the data controller to provide information about the processing of personal data to a data subject91 is one of the ways in which the GDPR puts into practice the
2.4. What are the possible legal bases for personal data processing? 2.4.1. Background To process personal data lawfully, meaning in accordance with the principle of lawfulness, SMEs need to specify a legal basis (legal ground). The Article 6 of the GDPR foresees these legal bases:
2. Personal data protection basics
principles of lawfulness, fairness and transparency.
» the data subject consented to the processing; » the processing is necessary for the performance of a contract to which the data subject is a party;
» the processing is necessary to comply with a legal obligation existing upon the controller;
» the processing is necessary to protect the vital interests of data subjects or of another person;
» the processing is necessary for the performance of a task carried out by the data controller in the public interest or in exercising official authority; and
90
Footnote 79.
91
See 2.5 What are data subjects’ rights? 51