Basics of Data Protection
Data protection is the protection of personal data from misuse, often in connection with the protection of privacy. The purpose and goal of data protection is to safeguard the fundamental right to informational self-determination of the individual person.
Everyone should be able to determine for themselves to whom they disclose which personal data, when and for what purpose.
In order to be allowed to process personal data, there must be a legal basis. Simply storing, processing, analysing data obtained from other people … that doesn’t sound right, does it?
So, when am I allowed to process data?
The requirements for legally compliant data processing are set out in the GDPR and the Federal Data Protection Act (the BDSG). Thus, data processing is always lawful if there is a specific legal basis, such as in Art. 88 GDPR and Section 26 BDSG for the employment relationship.
In addition, legally compliant consent also forms a suitable legal basis for data processing, see Art. 6 para. 1 lit. a) and Art. 7 GDPR. Data may also be processed for the fulfilment of a contract or for the implementation of pre-contractual measures pursuant to Art. 6 para. 1 lit. c) GDPR.
If the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, Art. 6 para. 1 lit. e) GDPR is relevant as a legal basis.
Last but not least, personal data may be processed if this is necessary to protect the legitimate interests of the controller or a third party pursuant to Art. 6 para. 1 lit. f) GDPR. However, it should always be noted here that the legitimate interest can only be justified if a documented balancing of the legal interests of the data subject and those of the controller has been carried out.
Not every interest of the controller is therefore at the same time a legitimate interest under data protection law and suitable to justify data processing.