Before processing personal data it is necessary to identify the juridical base on which is based the processing.  The personal data processing is lawfull only if it complies with almost one of the following conditions:

• The data subject has agreed to the personal data processing for one or more specific aims.
• The processing is necessary for the execution of a contract of which the data subject is part or at the execution of pre contractual measures adopted upon request of this last one.
• The processing is necessary in order to fulfill a legal obligation (clear and specific) to which the subject is holder.
• The processing is necessary in order to protect vital interests of the data subject or another natural person.
• The processing is necessary in order to execute a public text or related to the exercise of political powers of the data controller.
• The processing is necessary for the legitimate interests pursued by the data controller (for example, marketing aims, anti fraud, client data processing or employees, processing security, and so on).

THE CONSENT. 

The consent of the data subject is one of the legal base or “conditions of lawfulness” on which the personal data processing can be based. 

The relative disposals about the conditions applicable to the consent have been in-depth by the GDPR, by insisting on the “free, specific, informed and unique” nature. The data subject can have a real choice. 

In addition, the data subject has the right to revoke the consent anytime, in every moment, this revoke does not affect the lawfulness of the processing based on a consent provided before the revocation. 

And the child’s consent?

If you recollect data about children, in particular on your commercial website(for example: online games, social networks), is necessary to obtain the consent of their parents or their legal guardians. 

1. Article 7 of the General Data Protection Regulation – Conditions for consent
2. Article 8 of the General Data Protection Regulation – Conditions applicable to child’s consent in relation to information society services
3. Guidelines on the consent according to the Regulation n. 2016/679 

SENSITIVE DATA PROCESSING. 

In case of personal data processing of those data called “sensitive” data can be applicable measures or special rules (for example: impact analysis on the personal data protection, additional information about the consent recollection, contract terms). This is the data that reveals:

• etnical or racial origin,
• political opinion,
• religious or philosophical beliefs,
• trade union membership,
• as well as genetic data processing,
• biometrical data in order to identify in a unique way the natural person,
• health data or data about sexual content or the sexual orientation of a natural person. 

For this reason, the processing of this data is forbidden, except in one of the following cases:

1. the data subject has given the explicit consent to personal data processing for one of more specific aims, except where the Union right or the Member State requires that the prohibition to process this data does not require that it can be quit by the data subject;
2. the processing is necessary for the aim of fulfilling the obligations and the exercise of their own data controller right or the data subject about work right, social security and protection, as far as this processing is authorized by the Union right, the right of a member state or by an end collective contract according to the right of a member state which requires guarantees for fundamental rights and interests of the natural person;
3. the processing is necessary in order to protect the vital interests of the data subject or of another natural person, in case in which the data subject is physically or legally unable to give the consent;
4. processing is carried out, as part of their legitimate activities and with adequate guarantees, by a foundation, association or other non-profit-making body and pursues a political, philosophical, religious or trade-union aim, provided that such processing takes place relates exclusively to members or former members of that body or to persons who maintain regular contact with it in relation to its purposes and that personal data are not disclosed outside that body without the consent of the persons concerned;
5. the processing relates to personal data made manifestly public by the data subject;
6. processing is necessary for the establishment, exercise or defence of legal claims or whenever the courts act in their judicial role;
7. processing is necessary for reasons of overriding public interest, on the basis of Union law or the law of a Member State which must be proportionate to the objective pursued, respect the essence of the right to data protection and provide for appropriate and specific measures to safeguard the fundamental rights and interests of the data subject;
8. the treatment is necessary for the purposes of preventive medicine or occupational medicine, the assessment of the worker’s ability to work, medical diagnosis, health or social care, or the management of health care or social protection systems and services on the basis of Union law, the law of a Member State or on the basis of a contract concluded with a health professional and subject to the conditions and safeguards referred to in Article 9(3) GDPR;
9. the treatment is necessary for reasons of public interest in the field of public health, such as protection against serious cross-border threats to health, or in order to ensure high standards of quality and safety in healthcare and medicines or medical devices, on the basis of Union law or the law of the Member State providing for appropriate and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;
10. processing is necessary for archiving purposes in the public interest, for scientific or historical research or statistical purposes within the meaning of Article 89(1) of the GDPR, on the basis of Union law or the law of a Member State which must be proportionate to the objective pursued, respect the essence of the right to data protection and provide for appropriate and specific measures to safeguard the rights and fundamental interests of the data subject.

National law may impose additional conditions, including limitations, with regard to the processing of genetic data, biometric data or health data.

1. Article 9 of the General Data Protection Regulation – Processing of special categories of personal data

FURTHER PROCESSING OF DATA

The processing of data for a purpose other than that for which the data was collected may take place only if the new purpose is compatible with that initially envisaged, in compliance with the principle of purpose limitation.

In order to determine whether a purpose is compatible or not, it is necessary to take into account the following elements (if the initial processing was not based on the data subject’s consent or on Union or national law adopted in implementation of Article 23 of the GDPR):

• the possible existence of a link between the purposes for which the personal data were collected and the purposes of the further processing envisaged;
• the context in which the personal data were collected, in particular with regard to the relationship between the data subject and you
• the nature of the personal data, in particular if the processing concerns special categories of personal data, in accordance with Article 9 of the GDPR, or if personal data relating to criminal convictions and offences are processed, in accordance with Article 10 of the GDPR;
• the possible consequences of the further processing envisaged for the data subjects;
• the existence of adequate safeguards, which may include encryption or pseudonymisation.

1. Article 6- Lawfulness of processing
2. Article 5 – Principles relating to the processing of personal data

SOURCE: AUTORITA’ PER LA PROTEZIONE DEI DATI DEL LUSSEMBURGO