The first data protection principle under the UK GDPR is that there must be a valid lawful basis for any processing of individuals’ (data subjects) personal data.
“Processing” is widely defined - it includes manipulation and use, but extends to the collection, holding and erasure of personal data.
What are the lawful bases of processing?
There are six lawful bases and they are set out at Article 6 of the UK GDPR.
Consent |
|---|
The processing is done with the clear consent of the data subject, allowing data to be processed for a specific purpose. |
Contract |
|---|
The processing is necessary for a contract between the processing entity and the data subject or to allow the processing entity to take certain steps requested by the data subject before contracting |
Legal obligation |
|---|
The processing is necessary for the processing entity to comply with its legal obligations. |
Vital interest |
|---|
The processing is necessary to protect an individual’s life. |
Public interest |
|---|
The processing is necessary to undertake a task in the public interest or to exercise authority properly granted to the processing entity. |
Legitimate interest |
|---|
The processing is necessary for the legitimate interest of the processing entity or a third party. However, if the interests, fundamental rights or freedoms of a data subject require their personal data to be protected, those rights will override any legitimate interest of the processing entity. |
“Necessary”
Many of the lawful bases require the processing to be necessary. This means that the processing must be necessary for the purpose that is being carried out. If the purpose can reasonably be achieved by some other means, including processing less data, the processing will not be necessary. The fact that a processing entity has chosen to operate its business in a way which renders processing necessary is not sufficient.
Key pointers
- The lawful basis of processing must be selected before processing begins
- Changing the lawful basis after processing has started is difficult, so time should be taken to choose correctly from the outset;
- Processing entities should record and justify the basis they rely on for each processing purpose
- Information regarding the intended purpose of the processing and the lawful basis that applies should be included in a processing entity’s privacy statement
- Special category personal data requires both a lawful basis as above and also a special category condition. We go into this in more detail in a separate Jargon Buster on special category personal data.
For more information or advice on data protection compliance, please contact Beverley Flynn or another member of the commercial and technology team.
Beverley Flynn
Sinead Hughes