Lawfulness means that the data processing is permitted under the GDPR. There are several conditions that must be met to ensure that lawful processing of personal data is in place.
Lawfulness applies to all personal data processing activities, regardless of the purpose of the processing activity. Some types of personal data processing are more likely than others to be lawful, such as employment records and medical records.
But no matter what type of personal data you process, there are some common legal requirements for all personal data processing activities:
The processing must be necessary for a legitimate purpose. For example, if you only need to process employee information for payroll purposes and not for any other reason then you are unlikely to be able to argue that it is necessary for another reason such as tax or accounting purposes. However, if your business relies on financial accounting and tax reporting then it may be possible to argue that those purposes apply instead;
For instance, if you need to process employee names and addresses for payroll purposes but also use them for marketing purposes then this may not be lawful under EU law: The data subject must have given consent or there must be an overriding legitimate interest.