According to the GDPR, a legal basis for data processing is the basis for the lawful processing of personal data.
Laypersons often feel unsure about this point. We recommend that you simply proceed according to the exclusion procedure and first exclude the obviously inapplicable legal bases. Go through the following options step by step:
Anyone who processes data on the basis of a legal or contractual obligation is always on the safe side. In the context of projects, data must be processed on the basis of existing contracts. Employee data must be processed due to labour law provisions. Certain data must be stored due to financial and tax laws.
If there are no legal or contractual obligations, it is possible to obtain the consent of the data subjects. Ideally, this should be done in writing, as it can then be documented. However, consent can theoretically also be given verbally. This legal basis is suitable, for example, when storing data for marketing purposes or for obtaining consent for the publication of photos and videos.
Data controllers can also process data on the basis of a "legitimate interest". However, it must be possible to justify this interest. The GDPR provides for a comprehensive balancing of interests in which you compare your interests with the possible interests of the data subjects and weigh up the risks. In case of doubt, it should be possible to submit such a balancing of interests to a data protection authority, otherwise penalties or fines may be imposed.
(We have omitted the legal bases "vital interests" and "task in the public interest" here, as they are not relevant in the context of Erasmus+ projects.)
A detailed description of all legal bases can be found in our module "Basic course on data protection".
Note: This e-learning does not constitute legal advice!
Source: Peggy und Marco Lachmann-Anke on Pixabay