What is lawful processing of personal data under GDPR?

We explain what lawful processing of personal data means in practice, assess your activities against GDPR’s principles and help you establish compliant processes, documentation and routines.

What information must be provided to data subjects about processing?

We identify which information your organisation must provide under Articles 13 and 14 GDPR, draft or review privacy notices and help you integrate the information into customer journeys, systems and internal routines.

How can Morling Consulting support us with processing of personal data?

We review how personal data is handled in your organisation, advise on legal bases, DPIA, processor agreements and incident handling, and provide ongoing GDPR counselling tailored to your size, risk profile and way of working.

What is lawful processing of personal data?

The core rule for all processing of personal data under GDPR is strict adherence to the principles set out in Article 5 GDPR. These principles underpin every activity and impose demanding obligations on organisations to safeguard individuals’ rights and privacy. In practice, to act lawfully every operation must comply with the following:

Lawfulness, fairness and transparency: processing must be lawful, fair and transparent for the data subject.
Purpose limitation: data may only be collected for specific, explicit and legitimate purposes.
Data minimisation: process only what is necessary for the stated purpose.
Accuracy: keep personal data accurate and up to date.
Storage limitation: do not keep data longer than necessary.
Integrity and confidentiality: protect data against unauthorised access, alteration, loss or destruction.

The GDPR definition of processing personal data: In the GDPR definition with regard to processing personal data, “processing” is any operation performed on personal data, whether automated or not. As a rule of thumb: if anything is done to a personal data item, it is a processing operation.

Two business professionals discussing GDPR compliance at a laptop, reviewing policies to ensure lawful processing of personal data.

Information about processing of personal data

Providing clear and relevant information to data subjects is a fundamental principle of GDPR processing personal data. Organisations must know what is processed, for what purposes and how it affects individuals’ rights. Delivering the right information at the right time reduces administrative burden while preserving customer trust.

Articles 13 and 14 GDPR specify what must be communicated — Article 13 applies when data is collected from the individual, while Article 14 applies when obtained from another source. Failures can trigger complaints, administrative fines or reputational damage.

Morling Consulting provides tailored advice on what to communicate and how. We draft and review privacy notices, identify practical ways to provide information to data subjects and deliver training and ongoing advice on GDPR processing personal data across Europe.

IDENTIFY THE LEGAL BASIS

What is lawful processing of personal data? Legal bases under Article 6

Identifying the legal basis for processing is essential to meet GDPR. It reflects Article 5 GDPR’s principles and is a precondition for lawful activity. Processing without a valid legal basis is unlawful and may result in administrative fines following supervision by the Data Protection Agency. Under Article 6 GDPR there are six legal bases:

Consent of the data subject.
Performance of a contract.
Legal obligation.
Protection of vital interests.
Task carried out in the public interest or exercise of official authority.
Legitimate interests.

Choosing the right legal basis is not always straightforward and demands a careful assessment of the purpose and context. Each basis carries different requirements — for example documentation, information to data subjects or a right to object — and must be applied within its limits, consistent with the GDPR definition of processing personal data and with the obligations arising in the GDPR definition with regard to processing personal data.

How we support you with processing of personal data

We help your organisation apply the principle of personal data processing by assessing your activities against GDPR’s principles. Common questions include what is processing of personal data, which information must be provided to data subjects and how to operationalise lawful grounds in practice. Our guidance is pragmatic, business-focused and aligned with GDPR processing personal data.

Working with Morling Consulting gives you access to specialist GDPR lawyers who assess your processing arrangements and risks. In doing so, you protect your brand and customer relationships. Contact us to discuss how we can help you manage GDPR processing personal data across Europe.

Two GDPR consultants reviewing a digital checklist to ensure lawful processing of personal data and full compliance with EU privacy regulations.

Processing is any operation performed on personal data — automated or not. It includes collecting, recording, organising and storing, as well as altering, using or disclosing. Restricting, erasing or destroying also count as processing in the GDPR definition with regard to processing personal data.

All processing must follow GDPR’s principles. Personal data must be processed lawfully, fairly and transparently; only for specific and legitimate purposes; only to the extent and for the time necessary; and with protection for privacy and confidentiality.

Under Articles 13 and 14 GDPR, organisations must explain what data is processed, why and on what legal basis, who the controller is, how long data is kept and what rights the individual has. Morling Consulting helps you formulate the mandatory information, for example in a privacy notice, and tailor it to your operations.

Several legal bases may be available for a processing activity, but one must be selected and documented before processing starts. Article 6 GDPR sets out six options: consent, contract, legal obligation, vital interests, public interest and legitimate interests. We help you identify and document the appropriate basis correctly.

Support typically includes: reviewing how personal data is handled in your systems; drafting privacy notices and consent wording; guiding you through incidents; assessing whether a Data Protection Impact Assessment (DPIA) is required and conducting it where needed; and providing legal interpretation for specific scenarios. Advice is tailored to your size, ways of working and needs.

Any information relating to an identified or identifiable natural person. For example: name, national ID number, email address or IP address; images, audio or video; or staff, customer or supplier records. Even indirect identifiers can be personal data if they can be linked to an individual.

Breaches can lead to supervision by the Data Protection Agency, administrative fines of up to EUR 20 million or 4% of global turnover, and loss of trust among customers, partners and the public. Morling Consulting helps you minimise risks and respond correctly to scrutiny.

A data processing agreement is required when you, as controller, engage an external party (for example a cloud provider) to process personal data on your behalf. We review or draft agreements to ensure they meet GDPR.

Contact

Felix Morling

Contact us

If you prefer phone, please feel free to contact Felix Morling at +46 70 444 42 85

"*" indicates required fields

What is lawful processing of personal data?

What is lawful processing of personal data?

Information about processing of personal data

What is lawful processing of personal data? Legal bases under Article 6

How we support you with processing of personal data

Common questions and answers on processing of personal data

Felix Morling

Contact us