Skip to main content

Data collection requirements under GDPR

The GDPR was drafted to protect EU citizens’ and residents’ personal data and privacy. According to the GDPR, personal data that might be used to identify a person should only be collected with lawful basis.  

Let’s look at how to make a GDPR Data Collection and the six lawful bases for collecting and processing personal data listed in the GDPR.

Data collection lawful bases under GDPR

Whether you have a valid basis to collect personal data will depend on your purpose for data collection and your relationship with the individual. 

Here is an overview of the six acceptable lawful bases for processing data listed in GDPR Article 6:

  1. You get consent to collect and process someone’s data. 
  2. You need the data to fulfill a contract with the person. 
  3. You need the data to comply with a legal obligation. 
  4. You need the data to protect someone’s interests. 
  5. You need the data to perform a task that is in the public interest, or in the exercise of official authority.  
  6. You need the data for “legitimate interests”. 

Determine your lawful basis before you begin collecting data, and document it.  

Your privacy notice should include your lawful basis for processing as well as the purposes of the processing. 

Remember this when you collect data

If you are processing sensitive data, you need to identify both a lawful basis for general processing and an additional condition for processing this type of data. 

If you are processing criminal conviction data or data about criminal offences, you should identify both a lawful basis for general processing and an additional condition for processing this type of data. 

Data collection checklist

Review your data processing activities and select the most appropriate lawful basis (or bases) for each activity. 

Make sure data collection is necessary for the purpose you’ve selected. Is there another less-intrusive way to achieve that purpose? 

Document the lawful basis you selected to demonstrate compliance. 

Include information about your lawful basis and purposes of data collection in your privacy notice. 

If you collect sensitive data (special category data), or criminal offence data, identify an additional condition for processing that type of data and document it. 

Get ShareSimple FREE for one user today!

Data collection principles

You should also consider how the fundamental GDPR principles in Article 5 of the GDPR apply to data collection and processing: 

Lawfulness, fairness and transparency
Make sure you have legal basis as described above. Don’t deceive people or hide anything from them when you collect their data.  

Purpose limitation
Only use the data for the purpose you disclosed when collecting it.  

Data minimization
Only collect the personal data you really need. Separate required data fields from optional ones on your contact forms or eliminate optional/ unnecessary fields altogether. 

Make sure the data you collect will be kept accurate and up to date. You should request updates from people from time to time to keep data accurate or delete. 

Storage limitation
Set a data retention limit now and stick to it.  

Integrity and confidentiality
Use encryption, passwords, ID verification and other technical and organizational measures to protect data at rest and in transit. 

Keep written records of your data processing activities to show your compliance. 

Let’s look a little more closely at the documentation you should keep when collecting personal data. 

Data collection documentation for GDPR compliance

GDPR Article 30 requires you to keep written records of your data processing activities, including: 

  • Your company name and contact details 
  • The names and contact details for any joint controller or controller’s representative, if applicable 
  • The name and contact for your data protection officer (DPO), if applicable 
  • The reason (purpose) for processing the personal data 
  • The categories of data subjects and categories of personal data you collected 
  • The categories of recipients to whom personal data have been/will be disclosed, including recipients in third countries and international organisations 
  • Any cross-border transfers to third countries or international organisations + documentation of suitable safeguards 
  • Your data retention periods for different categories of data 
  • The technical and organisational security measures you’ve put in place to protect personal data. 

The easy way to collect personal data

Collecting personal data requires knowledge and time. In Safe Online, we have developed tools to automate the collection of personal information.

DataMapper - find your sensitive data
ShareSimple - send and recieve data securely in Outlook
RequestManager - process data subject requests easily

Sebastian Allerelli

Governance, Risk & Compliance Specialist
Follow me on LinkedIn to get tips on GDPR →