The first rule of data protection is: You may only use data if such use is justified. Without exception. Every time we use data we must have justifiable grounds for being able to process or handle that data. And according to the GDPR, “processing” basically includes everything that can be done with data. From collection to use to deletion.
But when is the use justified? You need to check – or have checked – whether one of the following three points apply:
1. It is allowed or even required by statute or it is necessary for compliance according to legal obligations.
2. You need to process the data to fulfill your contract.
3. The legitimate interest in processing the data outweighs the legitimate interest of the data subject.
If none of the three points apply, you definitely need the data subject’s consent.
Learn more about data protection in our “data protection for employees” course.