The data controller or the data processor lawfully processes personal data if:

1. the data subject has given consent to the processing of his or her personal data for purposes explained to him or her;
2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
3. the data controller executes a legal obligation to which he or she is a subject;
4. it is necessary for protection of vital interests of the data subject or any other person;
5. it is necessary for the performance of a duty carried out in the public interest or in the exercise of official authority vested in the data controller;
6. it is carried out for the performance of duties of a public entity;
7. it is intended for legitimate interests pursued by the data controller or by a third party to whom the personal data are disclosed, unless the processing of personal data is unwarranted in any particular case having regard to the prejudice to the rights and freedoms or legitimate interests pursued by the data subject;
8. it is carried out for research purposes upon authorisation by relevant institution.