Which of the following is a requirement under the GDPR for processing personal data?

Obtaining consent from the data subject is a fundamental requirement under the General Data Protection Regulation (GDPR) for the lawful processing of personal data. The GDPR specifies that personal data can only be processed if the data subject has given clear and affirmative consent for their data to be processed for specific purposes. This consent must be informed, unambiguous, and freely given, reflecting a genuine choice for the individual.

Consent under GDPR serves to protect individual privacy rights, ensuring that individuals have control over their personal data. This provision is particularly relevant in contexts where data processing involves sensitive personal information, requiring a higher level of protection.

The other options do not align with the foundational principles of data processing under the GDPR. While encryption can enhance data protection, it is not an absolute requirement for all data processing. The GDPR also does not stipulate that data must be stored permanently, as it promotes the idea of data minimization and emphasizes the need to retain data only as long as necessary for its intended purpose. Lastly, anonymization is important for privacy but not required for all data processing; the GDPR allows for the processing of personal data under various lawful bases beyond just anonymization.