Skip to main content

Data collection requirements under GDPR

The GDPR was drafted to protect EU citizens’ and residents’ personal data and privacy. According to the GDPR, personal data that might be used to identify a person should only be collected with lawful basis.  

Let’s look at the six lawful bases for collecting and processing personal data listed in the GDPR. 

Data collection lawful bases under GDPR

Whether you have a valid basis to collect personal data will depend on your purpose for data collection and your relationship with the individual. 

Here is an overview of the six acceptable lawful bases for processing data listed in GDPR Article 6:

  1. You get consent to collect and process someone’s data. 
  2. You need the data to fulfill a contract with the person. 
  3. You need the data to comply with a legal obligation. 
  4. You need the data to protect someone’s interests. 
  5. You need the data to perform a task that is in the public interest, or in the exercise of official authority.  
  6. You need the data for “legitimate interests”. 

Determine your lawful basis before you begin collecting data, and document it.  

Your privacy notice should include your lawful basis for processing as well as the purposes of the processing. 

Handling sensitive data

If you are processing sensitive data, you need to identify both a lawful basis for general processing and an additional condition for processing this type of data. 

If you are processing criminal conviction data or data about criminal offences, you should identify both a lawful basis for general processing and an additional condition for processing this type of data. 

Data collection checklist

Review your data processing activities and select the most appropriate lawful basis (or bases) for each activity. 

Make sure data collection is necessary for the purpose you’ve selected. Is there another less-intrusive way to achieve that purpose? 

Document the lawful basis you selected to demonstrate compliance. 

Include information about your lawful basis and purposes of data collection in your privacy notice. 

If you collect sensitive data (special category data), or criminal offence data, identify an additional condition for processing that type of data and document it. 

Data collection principles

You should also consider how the fundamental GDPR principles in Article 5 of the GDPR apply to data collection and processing: 

Lawfulness, fairness and transparency  

Make sure you have legal basis as described above. Don’t deceive people or hide anything from them when you collect their data.  

Purpose limitation 

Only use the data for the purpose you disclosed when collecting it.  

Data minimization 

Only collect the personal data you really need. Separate required data fields from optional ones on your contact forms or eliminate optional/ unnecessary fields altogether. 


Make sure the data you collect will be kept accurate and up to date. You should request updates from people from time to time to keep data accurate or delete. 

Storage limitation 

Set a data retention limit now and stick to it.  

Integrity and confidentiality  

Use encryption, passwords, ID verification and other technical and organizational measures to protect data at rest and in transit. 


Keep written records of your data processing activities to show your compliance. 

Let’s look a little more closely at the documentation you should keep when collecting personal data. 

Data collection documentation for GDPR compliance

GDPR Article 30 requires you to keep written records of your data processing activities, including: 

  • Your company name and contact details 
  • The names and contact details for any joint controller or controller’s representative, if applicable 
  • The name and contact for your data protection officer (DPO), if applicable 
  • The reason (purpose) for processing the personal data 
  • The categories of data subjects and categories of personal data you collected 
  • The categories of recipients to whom personal data have been/will be disclosed, including recipients in third countries and international organisations 
  • Any cross-border transfers to third countries or international organisations + documentation of suitable safeguards 
  • Your data retention periods for different categories of data 
  • The technical and organisational security measures you’ve put in place to protect personal data. 

Want more free data privacy tips?

Get the latest data privacy management news, trends and expert tips delivered straight to your inbox.

    Tip: Set up a safe upload point for data collection

    You and your employees probably collect people’s personal data in a variety of ways. People might share personal information with you and your employees by email, social media, or in a chat box. Once this personal data makes its way into your company’s storage, you are responsible for it.  

    To reduce the amount of personal data that comes in to your company without proper consent, documentation and protection, set up a safe data upload point. You can add a TrustedLink to your website or email signature so that people always have a safe way to share data with you. 

    TrustedLink gets consent automatically before accepting a person’s data, and sends the data to you in a secure, encrypted folder that you can access with a one-time-password. It saves the data securely for 32 days by default, or your pre-set data retention period, then automatically deletes it.  

    TrustedLink is an optional add-in for ShareSimple. Read more here. 

    Sebastian Allerelli

    Governance, risk, and compliance specialist