Legitimate bases for personal data processing
Data may only be processed if the processing operation falls within one of the legitimate bases, which are set out in section 2A of the Data Protection Acts. Processing will be legitimate when it is on the basis of the consent of the subject; it will also be legitimate where it is necessary for:
- “the performance of a contract to which the data subject is a party;
- “to take steps at the request of the data subject prior to entering into a contract;
- compliance with a legal obligation to which the data controller is subject other than an obligation imposed by contract;
- “prevention of injury or other damage to the health of the data subject, serious loss of or damage to property of the data subject, or otherwise to protect his or her vital interests where the seeking of the consent of the data subject or another person referred to in paragraph (a) of this subsection is likely to result in those interests being damaged
- “the administration of justice,
- “the performance of a function conferred on a person by or under an enactment,
- “the performance of a function of the Government or a Minister of the Government
- “for the performance of any other function of a public nature performed in the public interest by a person or
- “the purposes of the legitimate interests pursued by the data controller or by a third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the fundamental rights and freedoms or legitimate interests of the data subject”.
These various legitimate bases are discussed in further detail in Chapter 9 of Privacy and Data protection Law in Ireland.