According to the GDPR, the processing of personal data is generally permitted if at least one of the following reasons exists:
- the affected person has consented,
- the processing is necessary to fulfill a contract with the data subject,
- the processing is necessary to comply with a legal regulation,
- the processing is necessary to protect vital interests,
- the processing is necessary for the performance of a public task, or
- the processing is necessary for the purposes of the legitimate interests of the Processor or a third party.
Filming, photographing or making sound recordings is prohibited when:
- it is an invasion of the privacy of others,
- the recordings are used for facial recognition or other automated processes,
- the recordings contain references to specially protected personal data, or
- the data subject(s) has/have withdrawn consent. Withdrawal of consent can also occur, for example, after a photo has already been taken; this must then be deleted immediately.
2. Transfer of personal data
An essential form of processing of personal data is the transfer. In particular, a transfer takes place in any case of the use of service providers in connection with the provision of services to or with the respective data.
On the one hand, such data processing by a processor takes place in connection with an active transfer of personal data from the controller to the processor. On the other hand, a legal transfer also takes place when a processor determines, stores and processes data on behalf of the controller - regardless of whether the data is ever also technically under the control of the controller.
According to the GDPR, a prerequisite for the use of a processor is, in principle, that the respective processor provides sufficient guarantees that appropriate technical and organizational measures are implemented in such a way that the processing meets the requirements of the GDPR and the protection of the rights of the data subjects is ensured. The fulfillment of these requirements must be contractually enshrined.
Initially, a transfer of personal data is generally only permitted if the processor is located in an EU member state.
The GDPR stipulates that personal data may generally only be transferred to a third country if the country in question ensures an adequate level of protection for the transferred data.
In this context, the EU Commission must now determine by decision which third countries can guarantee the rule of law, adequate legal protection options and an overall adequate level of protection for personal data on the basis of their domestic legislation or their international obligations.
In the absence of such an adequacy decision, such a transfer may only take place if the exporter of the personal data established in the Union provides appropriate safeguards, which may result, inter alia, from standard data protection clauses developed by the Commission, provided that data subjects have enforceable rights to the protection of their data on that basis.
If there is neither an adequacy decision nor appropriate safeguards in place, a transfer to a third country is in fact only permissible with the explicit consent of each data subject. However, a prerequisite for effective consent is prior full information "about the potential risks to the data subject of such data transfers in the absence of an adequacy decision and appropriate safeguards."