Under the GDPR, data processors and controllers are required to demonstrate that all processing activities have a valid legal basis. There are six bases for processing data:
The data subject provides valid consent;
Processing is necessary for entering into or the performance of a contract;
Processing is necessary for compliance with a legal obligation to which the controller is subject;
Processing is necessary in order to protect the vital interests of the data subjector other individual;
Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested;
Processing is necessary for the purposes of the legitimate interests pursued by the controller or third party, to the extent that it does not infringe on the fundamental rights and freedoms of the data subject, particularly where the data subject is a child.
Understanding the correct lawful ground for all processing activity is an essential element of GDPR compliance. As a data processor processing personal data on behalf of data controllers (educational institutions) Socrative does not need to rely on consent for its processing, but must have a legal basis attributed to this processing.
If you have any questions about Socrative's legal basis for processing information, please contact firstname.lastname@example.org.