Terms for legitimate processing

Purpose of processing, Need to process, Legal basis, and Legitimate interest documentation

The terms purpose of processing, need to process, legal basis, and legitimate interest documentation originate from data protection law. They are central elements intended to ensure that the processing of personal data is transparent and lawful. These terms build upon each other: the purpose implies the need, the legal basis legitimizes the processing, and the legitimate interest serves as a specific legal basis requiring additional balancing. The differences and meanings are explained in detail below.

Purpose of Processing

Personal data must be collected for specified, explicit, and legitimate purposes and must not be further processed in a manner incompatible with those purposes.

→ The purpose of processing is the foundation on which the lawfulness of processing is evaluated. Without a clear purpose, the processing is unlawful.

Examples:

• Managing an employment relationship (e.g., payroll processing)
• Marketing activities (e.g., sending newsletters)
• Contract fulfillment (e.g., order and payment processing)

Need to Process

The purpose of processing implies the need to process data. The necessity of data processing must always be evaluated within the context of the specific purpose and legal basis.

→ Processing is unlawful if it is unnecessary or not justified by a legitimate purpose.

You specify the need to process when creating a new processing activity. It can be reviewed and edited under the General tab.

Examples:

• Salary payment to employees:
  • Purpose: Payment of salary.
  • Need: Without processing data such as name, bank account, and salary amount, payment cannot be made.
• Order processing and delivery:
  • Purpose: Delivery of goods to customers.
  • Need: Without processing data like name, address, and payment information, orders cannot be processed or delivered.

Legal Basis

Under data protection laws (e.g., GDPR), processing must be based on a legal basis to be lawful. At least one of the following conditions must be met:

• Consent: The data subject has given consent to process their personal data for one or more specific purposes.
• Contract fulfillment: Processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the data subject's request before entering into a contract.
• Legal obligation: Processing is necessary for compliance with a legal obligation to which the controller is subject.
• Vital interests: Processing is necessary to protect the vital interests of the data subject or another natural person.
• Public interest: Processing is necessary for the performance of a task carried out in the public interest or the exercise of official authority vested in the controller.
• Legitimate interests: Processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, provided that such interests are not overridden by the interests or fundamental rights and freedoms of the data subject, especially when the data subject is a child. For this, legitimate interest documentation must be provided.

→ The legal basis is crucial for ensuring the lawfulness of data processing. It is displayed on the platform based on activated laws.

The purpose of processing and the legal basis can be created as attributes under Compliance Settings and linked to a processing activity. A brief description suffices to create a purpose for processing. A short description and the applicable law should be provided for the legal basis.

Legitimate Interest Documentation

The legitimate interest documentation is more complex, as it requires carefully balancing the interests of the controller or a third party against the fundamental rights and freedoms of the data subjects.

To simplify this process, the platform provides a dedicated area for detailed documentation of your legitimate interests.

→ This balancing test forms the basis for the lawfulness of processing and serves as a legal basis.

Summary of Differences