Do I always need people's permission to process their personal data?
No. The permission of a data subject is only one of the possible grounds for legitimizing the processing of personal data. The law contains several other possibilities, including processing in the legitimate interest of the entity that determines the purposes and means of the processing, if these interests are not overridden by the interests for fundamental rights and freedoms of the data subject. This option is very important in practice: it allows the entity organising the data processing to assess for itself whether there is any negative impact on the privacy of the data subject, and to determine on the basis of this assessment whether asking for permission is necessary or advisable.
Of course, permission remains a viable and pragmatic way to legitimize data processing, as it reduces the risk of later discussions with respect to legitimacy, provided that the existence of valid permission can be demonstrated.
It should be noted that the law contains stricter rules for certain types of personal data which are considered especially privacy sensitive, including in relation to health, racial or ethnic origin, religion, ideology, sex life and judicial activity. For these categories of data the legislative bar is set substantially higher, and it will often be necessary to seek the permission of the data subject.