The General Data Protection Regulation (GDPR) establishes clear rules regarding the lawfulness of personal data processing. According to Article 6 of the GDPR, data processing is lawful only if at least one of the following conditions applies:
- Consent of the data subject – The data subject must explicitly consent to the processing of their data for a well-defined purpose.
- Performance of a contract – Processing is necessary for the execution of a contract to which the data subject is a party or to take steps at their request before entering into a contract.
- Legal obligation – The data controller must process the data to comply with a legal obligation.
- Protection of vital interests – Data may be processed to protect the life or integrity of the data subject or another person.
- Public interest or official authority – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.
- Legitimate interest – The controller or a third party may process data if they have a legitimate interest that does not override the fundamental rights of the data subject.
Consent and Its Withdrawal
When data processing is based on consent, the controller must be able to demonstrate that it was given freely and with full awareness. The request for consent must be clear, separate from other clauses, and expressed in an accessible language.
The data subject has the right to withdraw their consent at any time, and the withdrawal process must be as simple as granting it. The withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
Conclusion
The lawfulness of personal data processing is essential for protecting individual rights. Whether based on consent, contractual obligations, or public interest, any processing must comply with GDPR principles. If you need clarification regarding data processing or legal assistance, consult a lawyer specializing in data protection.
EN 
RO