Skip to main content

Data collection requirements under GDPR

The GDPR was drafted to protect EU citizens’ and residents’ personal data and privacy. According to the GDPR, personal data that might be used to identify a person should only be collected with lawful basis. Let’s look at how to make a GDPR Data Collection and the six lawful bases for collecting and processing personal data listed in the GDPR.

Data collection lawful bases under GDPR

Whether you have a valid basis to collect personal data will depend on your purpose for data collection and your relationship with the individual. 

Here is an overview of the six acceptable lawful bases for processing data listed in GDPR Article 6:

  1. You get consent to collect and process someone’s data. 
  2. You need the data to fulfil a contract with the person. 
  3. You need the data to comply with a legal obligation. 
  4. You need the data to protect someone’s interests. 
  5. You need the data to perform a task that is in the public interest, or in the exercise of official authority.  
  6. You need the data for “legitimate interests”. 

Determine your lawful basis before you begin collecting data, and document it. Your privacy notice should include your lawful basis for processing as well as the purposes of the processing. 

Start your GDPR cleanup where it is needed the most

Sensitive data can tends to accumulate in the employees' e-mails. With a GDPR Risk Scan from DataMapper, you get a report that shows any potential GDPR risks in the company's e-mails.

Remember this when you collect data

If you are processing sensitive data, you need to identify both a lawful basis for general processing and an additional condition for processing this type of data. Here is a checklist for collecting data correctly:

  • Review your data processing activities and select the most appropriate lawful basis (or bases) for each activity. 
  • Make sure data collection is necessary for the purpose you’ve selected. Is there another less-intrusive way to achieve that purpose? 
  • Document the lawful basis you selected to demonstrate compliance. 
  • Include information about your lawful basis and purposes of data collection in your privacy notice. 
  • If you collect sensitive data (special category data), or criminal offence data, identify an additional condition for processing that type of data and document it. 

If you are processing criminal conviction data or data about criminal offences, you should identify both a lawful basis for general processing and an additional condition for processing this type of data. 

Data collection principles

You should also consider how the fundamental GDPR principles in Article 5 of the GDPR apply to data collection and processing: 

Lawfulness, fairness and transparency
Make sure you have legal basis as described above. Don’t deceive people or hide anything from them when you collect their data.  

Purpose limitation
Only use the data for the purpose you disclosed when collecting it.  

Data minimisation
Only collect the personal data you really need. Separate required data fields from optional ones on your contact forms or eliminate optional/ unnecessary fields altogether. 

Make sure the data you collect will be kept accurate and up to date. You should request updates from people from time to time to keep data accurate or delete. 

Storage limitation
Set a data retention limit now and stick to it.  

Integrity and confidentiality
Use encryption, passwords, ID verification and other technical and organisational measures to protect data at rest and in transit. 

Keep written records of your data processing activities to show your compliance. 

Let’s look a little more closely at the documentation you should keep when collecting personal data. 

Get our Newsletter!

In our newsletter you get tips and tricks for dealing with privacy management from our founder Sebastian Allerelli.

When you sign up for our newsletter you get a license for one user to ShareSimple, which will give you a secure email in Outlook. This special offer is for new customers only, with a limit of one freebie per company.

Data collection documentation for GDPR compliance

GDPR Article 30 requires you to keep written records of your data processing activities, including: 

  • Your company name and contact details 
  • The names and contact details for any joint controller or controller’s representative, if applicable 
  • The name and contact for your data protection officer (DPO), if applicable 
  • The reason (purpose) for processing the personal data 
  • The categories of data subjects and categories of personal data you collected 
  • The categories of recipients to whom personal data have been/will be disclosed, including recipients in third countries and international organisations 
  • Any cross-border transfers to third countries or international organisations + documentation of suitable safeguards 
  • Your data retention periods for different categories of data 
  • The technical and organisational security measures you’ve put in place to protect personal data. 

The easy way to collect personal data

Collecting personal data requires knowledge and time. In Safe Online, we have developed tools to automate the collection of personal information.

DataMapper – Find your sensitive data
ShareSimple – Send and receive data securely in Outlook
RequestManager – Process data subject requests easily

Sebastian Allerelli

Founder & COO at Safe Online
Governance, Risk & Compliance Specialist
Follow me on LinkedIn to get tips on GDPR →


How to handle sensitive personal data


How to find personal data with datamapping tool


How to prepare for a data audit