What are the lawful bases the data controller can use to process customer data?

What are the lawful bases the data controller can use to process customer data?

The data controller can choose from six data processing bases. These are:

1. Contract- This applies when you need to process the customer's personal data to fulfill your contractual obligations, or to take some action based on the customer's request (e.g. sending a quote or invoice).

2. Legal Obligation- This applies when you have to comply with an obligation under any applicable law (e.g. providing information in response to valid requests, such as an investigation by an authority).

3. Vital Interests- This applies to urgent matters of life and death, especially with regards to health data.

4.  Public Task- This applies to activities of public authorities.

5. Legitimate Interests- These can include commercial interests, such as direct marketing, individual interests, or broader societal benefits.

6. Consent- Consent is also a lawful basis to process data. Consent of the data subject means "any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which he or she, by a statement or a clear affirmative action, signifies agreement to the processing of personal data relating to him or her."

The processing activities under these lawful bases should take place in ways that people normally expect. The controller must document and keep a record of decisions on legitimate interests in the form of a Legitimate Interests Assessment.



    • Related Articles

    • Managing Lawful Bases for Data Processing

      Switch on GDPR Compliance options Under compliance settings, you need to first switch on GDPR compliance settings if it applies to your business. Users with the Manage Compliance Settings profile permission can enable and view the features available ...

    • How often can I review the lawful basis of processing data?

      As the data controller, you should periodically review the lawful basis under which you processed customers' data. This is because the lawful basis under which you initially processed personal data and the purpose of data collection can change over ...

    • Data Subject Rights

      The GDPR explicitly states certain rights for the data subjects in Articles 12 to 23. We need to understand and fullfil them when individuals seek to exercise those rights. Right of access: The subject's right to obtain from the controller, the ...

    • How can the data controller classify fields in Zoho CRM?

      The data controller has the option to mark the user's fields as personal and sensitive in Zoho CRM. The controller can also decide to restrict these fields from activities like exports, APIs, and other connected services of Zoho CRM (Books, Finance, ...

    • Data Privacy

      A record's details are available in two sections - Info and Timeline. When you switch on GDPR Compliance in your Zoho CRM account, you will be able to view another section, namely Data Privacy. This section has the following details: Data Source ...