What are legal grounds for processing? | GDPR FAQ

Q: I am trying to get my database of existing candidates into compliance for the GDPR. What are the legal grounds for processing personal information?

A: There are six grounds for processing personal data:

  • (a) Data subject has given consent.
  • (b) Processing is needed to fulfill or establish a contract with the data subject.
  • (c) The controller has a legal obligation to process.
  • (d) When processing protects the vital interests of the data subject.
  • (e) Processing would be in the public interest.
  • (f) The controller, or third party, has a legitimate interest in processing the data. This interest cannot override the rights of the data subject, and cannot be applied to special categories of sensitive personal data.
  • References:

  • Article 6(1), GDPR
  • Additional Information:

    In reality, some of these may be less relevant to a recruitment agency than others. It is reasonable to consider times when a consent form, a contractual commitment, or a legitimate interest may be used by a recruiter. Processing to protect the life of the data subject, or for a public interest, are less likely to play a part in recruiters’ compliance programmes.