DPO and GDPR services

What are the Lawful Bases for processing personal data?

Under GDPR you need to have a valid lawful basis to process personal data. GDPR gives us six lawful basis for processing personal data, no one basis is better than the other, it is about using a basis that is most appropriate for your purpose.

In order to process personal data you must be sure that the processing of the data is necessary for your purpose – Can you achieve your purpose without processing personal data? If so then you wont have a lawful basis.

Before you begin processing you must first determine the lawful basis that you will be using. The ICO has an interactive tool which can help you.

Choosing the appropriate legal basis is important, there must be only one legal basis for processing at a time, and that legal basis must be established before the processing begins.

It is worth noting that you cannot alternate between legal bases and you must have a good reason for changing the lawful basis once you have started processing, EG if you suddenly decide that it is too difficult to gain consent, generally you will not be able to change to another basis. It is therefore a good idea to take time and consideration when deciding on your lawful basis to use.

Once you have decided on the lawful basis that you will be using you need to tell people, this you would do via your privacy notice. Your privacy notice should include all the bases that you use and when and for what purpose you will use them.

What happens if your purpose for processing changes?

You may be able to continue processing under the original basis but only if your new purpose is compatible with the first purpose, unless you were your first lawful basis was consent.

Special Category Data

Special category data is personal data that needs more protection because it is sensitive and includes race, ethnic origin, religion, trade union membership, biometrics, and health data.

If you are processing special category data then you need to identify both a lawful basis for general processing under Article 6 UK GDPR  and an additional condition for processing this type of data under Article 9 UK GDPR.

Criminal Conviction and Offence Data

The processing of criminal conviction and offence data is carried out under Article 10 UK GDPR If you have official authority, you can process personal data about criminal convictions and offences, because you are processing the data in an official capacity.

You must determine your condition for processing criminal offence data, or identify your official authority for the processing, before you begin the processing, and you should document this.

If you are processing criminal conviction data or data about offences, then you will need to identify a lawful basis for general processing under Article 6 UK GDPR and an additional condition for processing this type of data.

What are the Lawful Bases for Processing?

Under GDPR there are six lawful bases for processing personal data and at least one must apply when processing personal data. The lawful bases are set out in Article 6 of the UK GDPR. they are:

  1. Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
  2. Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
  3. Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
  4. Vital interests: the processing is necessary to protect someone’s life.
  5.  Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
  6. Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

For more information on using consent see our article on When should you use consent

If you need any advice of deciding on your lawful bases for processing we are happy to help simply contact us and let us know.

Scroll to Top