What are the lawful bases for processing data under GDPR?

What are the lawful bases for processing data under GDPR?

There are six lawful grounds for processing personal data: as part of the performance of a contract, with consent, as a legitimate interest, as a legal obligation, to protect the vital interests of the individual or if in the public interest. All grounds for processing are equally valid, it is for the controller to determine the correct legal basis for processing. GDPR specifically states that Direct Marketing may be considered to be a Legitimate Interest. The ICO has confirmed in guidance that organisations can rely on LI in order to carry out postal direct marketing so long as use of personal data is proportionate, has a minimal privacy impact and an individual is unlikely to be surprised or object. It is for clients to make this assessment on a case-by-case basis.

*You may be wondering what legitimate interest means and what our legitimate interest is. Our business as a marketing service provider rests upon us being able to process personal data for our clients’ direct marketing. If we could not do this then we would not have a business so we have a legitimate interest to do so. Our clients have a legitimate interest in finding new customers or making sure that they deliver the best products and services to existing customers by direct marketing. That on its own is not enough, we also have to balance these interests with yours. We consider whether you will expect to hear from our clients regarding new offers and whether you will be surprised to know that your personal data is in our database. If on balance we think
that you will be happy to receive offers and learn about new products on the market then we can process your data. If you do not want us to do so then tell us and your data will be removed from our database.