A. Principles relating to processing of personal data
Processing shall be lawful only if at least one of the criteria in Art. 6 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) is fulfilled.
THE LEGAL BASIS FOR THE PROCESSING OF PERSONAL DATA
Art. 6 GDPR. Lawfulness of processing;
1. Processing shall be lawful only if and to the extent that at least one of the following applies:
- The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- Processing is necessary for compliance with a legal obligation to which the controller is subject;
- Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Personal data shall be collected for specified, explicit and legitimate purposes.
Personal data shall be limited to what is necessary in relation to the purposes for which they are processed.
Every reasonable step must be taken to ensure that personal data that are inaccurate are erased or rectified without delay.
Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
The controller shall be responsible for, and be able to demonstrate compliance with principles relating to processing of personal data.