Under GDPR, as well as meeting all of the GDPR principles, an organisation must rely on one of six legal justifications to use personal data, known as the conditions for processing. For instance, you could process a sale to a customer by relying on condition 2, fulfilling a contract.

Different conditions give different rights to individuals. Relying on consent, for instance, gives the person the right to withdraw their consent, a right they must be informed about, usually in a privacy notice.

1. The person gave explicit consent
2. It is to fulfil or prepare a contract
3. There is a legal obligation (excluding a contract)
4. To save someone’s life or in a medical situation
5. To carry out a public function
6. There is some other legitimate interest (excluding public authorities)

If the data is sensitive, i.e. about a person’s race, religion, or health status, there must be an additional justification to process this which can include explicit consent, employment law, or for medical purposes. Under GDPR, genetic and biometric data such as data from a biometric passport or fingerprint scans will now count as sensitive personal data.