You must have the support of the law in order to collect personal data, it is called “having a legal base”.
There are different legal base’s types.
For example, one of that can be an agreement between you and a client, so you have the right to collect information necessary to fulfill the agreement. In order to collect other information, is necessary the consent, this mean that it is necessary ask the authorization to the person.

Personal data can be collected only for “specific, explicit and legitimate purposes and later processed in an incompatible mood for this purposes”. For this reason, data collected with a specific reason can be used for different purposes.

A company can, for example, equips its cars with special GPS tools used for electric drive records in order to simplify the report to the Swedish IRS (Internal Revenue Service). Anyway, the employer can not used the informations recollected by the GPS for checking how much time employees employ.

It is important to have the support into the data protection Ordinance in order to manage personal data. It is called have a legal base. There are many legal bases that companies can used. The most famous are:

Legal obligation.
In some cases, the companies are required to registered personal data, for example in order to fulfil with the compulsory accounting into the Accounting Law.

Agreement
Work agreement, agreement with clients and agreement with suppliers are examples of agreements that underlines that companies must registered and managed personal data. Anyway the society can registered only the necessary informations in order to fulfil the agreement.

Consent.
Another legal base can be the consent, this means that it is asked to the person concerned to registered its informations. According to the General Data Protection Regulation, the consent, is “any kind of voluntary, specific, informed and unequivocal expression of the will, by which the person, through an unequivocal statement or affirmative action, accepts the processing of personal data concerning him.”

If your company must collect information, the person must ask before clear informations on which informations will be recollected and why they will be used, in order to receive their consent.

Interests balance.
Is also possible manage personal data after a balance of interests if the society can prove to have legitimate need to manage this data and also this need is over the right of the data subject to data protection.

Examples of legal bases.
These are some of the examples of legal bases that can be used when personal data are managed in different IT systems:

• wage system, legal basis , contract and legal obligation
• customer register, legal basis – agreement (consent is required for certain information)
• website, legal basis, consent or balance of interests.

SOURCE: AUTORITA’ PER LA PROTEZIONE DEI DATI SVEZIA