processing personal data?

Under the General Data Protection Regulation (GDPR), organisations must establish a valid lawful basis to process personal data. The regulation outlines six lawful bases for processing, each serving distinct purposes and contexts. It is crucial to understand no one basis is better than the other, it is about using a basis that is most appropriate for your purpose. The appropriateness of each depends on the specific circumstances surrounding your data processing activities.

To ensure compliance with GDPR, you must first assess which lawful basis aligns best with your intended purpose for processing personal data. The six lawful bases include consent, contract necessity, legal obligation, vital interests, public task, and legitimate interests. Each of these bases has its own requirements and implications.

For instance, if you are processing data based on consent, it is essential that individuals have given clear permission for their information to be used in a specific way. Conversely, if your processing is necessary for the performance of a contract with an individual or to take steps at their request prior to entering into a contract, this would fall under contractual necessity.

Ultimately, understanding these lawful bases for processing data not only helps in ensuring compliance but also fosters trust with individuals whose data you handle. By carefully evaluating your purposes against these bases, you can navigate the complexities of GDPR more effectively while safeguarding personal information.

The ICO has an interactive tool which can help you.

Choosing the appropriate legal basis is important, there must be only one legal basis for processing at a time, and that legal basis must be established before the processing begins.

It is worth noting that you cannot alternate between legal bases and you must have a good reason for changing the lawful basis once you have started processing, EG if you suddenly decide that it is too difficult to gain consent, generally you will not be able to change to another basis. It is therefore a good idea to take time and consideration when deciding on your lawful basis to use.

Once you have decided on the lawful basis that you will be using you need to tell people, this you would do via your privacy notice. Your privacy notice should include all the bases that you use and when and for what purpose you will use them.

You may be able to continue processing under the original basis but only if your new purpose is compatible with the first purpose, unless you were your first lawful basis was consent.

Special category data is personal data that needs more protection because it is sensitive and includes race, ethnic origin, religion, trade union membership, biometrics, and health data.

If you are processing special category data then you need to identify both a lawful basis for general processing under Article 6 UK GDPR  and an additional condition for processing this type of data under Article 9 UK GDPR.

The processing of criminal conviction and offence data is carried out under Article 10 UK GDPR If you have official authority, you can process personal data about criminal convictions and offences, because you are processing the data in an official capacity.

You must determine your condition for processing criminal offence data, or identify your official authority for the processing, before you begin the processing, and you should document this.

If you are processing criminal conviction data or data about offences, then you will need to identify a lawful basis for general processing under Article 6 UK GDPR and an additional condition for processing this type of data.

Under GDPR there are six lawful bases for processing personal data and at least one must apply when processing personal data. The lawful bases are set out in Article 6 of the UK GDPR. they are:

1. Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
2. Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
3. Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
4. Vital interests: the processing is necessary to protect someone’s life.
5.  Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
6. Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

For more information on using consent see our article on When should you use consent

If you need any advice of deciding on your lawful bases for processing we are happy to help simply contact us and let us know.