Stay Legal UK

What is a lawful basis for processing data?

image to represent data protection

To process personal data, you must have a valid lawful basis. There are six lawful bases for processing. The most appropriate basis will depend on your relationship with the individual. The requirement of most the lawful bases is that the processing is ‘necessary’ for a specific purpose. You will not have a lawful basis if you can reasonably achieve that specific purpose without needing the processing. You must establish the legal basis and should document it before you begin processing. You need to get it right the first time as you should not swap the lawful basis latter on without good reason. For example, you cannot usually swap from consent to another basis. If you process special category data, you need a lawful basis plus an additional condition for processing such data. Processing data about criminal convictions/offences also needs a lawful basis plus an additional condition for such data. As stated in another article, individuals have the right to be informed, meaning your privacy policy should contain the lawful basis for processing and the purpose of the processing. Article 6 of the General Data Protection Regulation (GDPR) states the six lawful bases for processing, they are as follows:

  1. Consent – ‘the data subject has given consent to the processing of his or her personal data for one or more specific purposes’.
  2. Contract – ‘processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract’.
  3. Legal obligation – ‘processing is necessary for compliance with a legal obligation to which the controller is subject’. (Does not include contractual obligations)
  4. Vital interests – ‘processing is necessary in order to protect the vital interests of the data subject or another natural person’.
  5. Public task – ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’.
  6. Legitimate interest – ‘processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child’. (Does not apply if you are a public authority processing data to perform an official task)

At least one of the above must apply to lawfully process data. The first data protection principle requires that data is processed in a lawful, fair, and transparent manner. If you do not have a lawful basis, you will be processing data unlawfully putting you in breach of the first principle.

At Lawdit Stay Legal our packages include all the documents you need such as, privacy policy, cookie notice, terms and conditions, intellectual property notice, and accessibility notice. Take the stress of legal compliance away by using one of our packages. With a free initial consultation there is no need to delay, so book today!

Solicitor dressed as a superhero

More From Stay Legal

Share this with your network
Share on linkedin
Share on twitter
Share on facebook
Share on email
Share on whatsapp