Ensuring the lawfulness of processing

According to previous legislation practices on information self-determination and freedom of information, the legal basis for data processing was given by the stakeholder’s consent and legal obligation. As of May 25, 2015, the European Union’s General Data Protection Regulation has extended the range of these legal bases.




GDPR, lawfulness of processing, legal basis for data processing, data processor, data controller, payroll

Legal bases have come into effect that are

  • Necessary for the performance of a contract
  • Necessary to protect the data subject’s best interests
  • Necessary to perform a task carried out in the public interest
  • Necessary for legitimate interests.


By expanding these legal bases, it will be easier for the organizations to comply, but a wrongly defined legal ground can bring really serious fines – and we are talking about really big numbers here.


Process Solutions as an accounting and payroll service provider, in the majority of their client contracts have a processor role, so a significant part of data processing is necessary for the performance of the contract. At the same time, if only the data of its own employees are taken into account it will appear as a controller.

Depending on the employment relationship, there may be differences in the way personal data arrives, but regardless of whether the data was obtained from the person concerned or from another source, they are obliged to inform the data subjects.

It is also important to note, that data processing can only be initiated if one of the legal grounds established under the regulation exists. However, in many cases, for example, in case of payroll, additional legal bases may exist in the same data processing, and therefore, beyond the performance of the contract, there is a legal obligation.



Powered by FORTIX Consulting