Article 7 - Requirements for legitimate Processing

A Data Controller may only Process Personal Data if:

(1) the Data Subject has unambiguously given his consent;
(2) Processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;
(3) Processing is necessary for compliance with any legal obligation to which the Data Controller is subject;
(4) Processing is necessary in order to protect the vital interests of the Data Subject;
(5) Processing is necessary for the performance of a task carried out in the interests of the QFC or in the exercise of QFC Authority, Regulatory Authority, Tribunal or Appeals Body functions or powers vested in the Data Controller or in a Third Party to whom the Personal Data is disclosed; or
(6) Processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by the Third Party or parties to whom the Personal Data is disclosed, except where such interests are overridden by compelling legitimate interests of the Data Subject relating to the Data Subject's particular situation.