Hopp til hovedinnhold
Go to front page
Back
Chapter 3 / Part 2 of 2 / Topic 2

Basis for Processing

The GDPR provides six different reasons—called bases for processing—that can justify the processing of personal data. For example, the basis can be consent, or it can be that the processing is necessary to fulfil a contract or a legal obligation.
Processing in a GDPR context refers to everything you do with personal data: collect it, store it, share it, view it, use it, analyse it, compile it, change it, delete it—all of it!
It might be easy to think that you haven't processed the data—after all, you've only collected it! But this too is processing. The same applies to deletion and destruction. Thus, all of this requires a basis in one of the six bases for processing to be lawful.

The six bases for processing

The first basis for processing is consent. But before you choose consent as a basis, you should check whether the processing can (or must) be done on another basis.
Beyond consent, there are five other bases. Specifically, the processing may be necessary for...
  • entering into or fulfilling a contract (insurance, sales, services)
  • a legal obligation (Norwegian Labour and Welfare Administration, employer)
  • protecting the life and health of the data subject (medical treatment)
  • performing a task in the interest of the public or in the exercise of public authority (schools and universities)
  • a legitimate interest of the data controller or a third party, which outweighs the data subject's privacy
All processing of personal data must have a defined purpose, and each purpose is to be linked to one of these six bases for processing. If you also follow the principles of data protection—such as data minimisation and purpose limitation, which you will learn more about in the next topic—you are well on your way to understanding and complying with the GDPR.
The purpose—and the basis for processing upon which it is based—should be written down and documented before you start processing personal data. This is important both for your own sake, and in the case of supervision by the DPA.

What is valid consent?

Consent might sound simple enough, but in practice, this is far from the simplest basis for processing and should be chosen when none of the other alternatives are possible. This is due to the fact that the consent must meet several requirements in order to be valid. Therefore, consent as a basis is often both misunderstood and misused.
Consent must be:
  • Voluntary – it must be a real choice, without coercion, and without a dependency relationship (e.g., between an employee and employer)
  • Specific – there must be a separate consent for each individual purpose, you can't ask for “yes to everything”
  • Informed – it should be understandable and unambiguous what one is consenting to
  • Active – the box cannot be pre-ticked, consent must be given through an active action
  • As easy to withdraw as it is given – at any time and without justification
You should always inform who the data controller is and their contact details. You should disclose the purpose, which personal data you are asking for, and who might access them. And you should both inform that the consent can be withdrawn at any time and facilitate the process of doing so—without having to give any reason for it.
If you use automated individual decisions, say, processing using artificial intelligence, you must also inform about this. In addition, you should inform whether the data will be transferred outside the EU/EEA—and how it will be secured in that case.
It's common to collect this information in a privacy notice. The EU and national Data Protection Authorities have templates for these that you can use as a starting point.