Get Free Downloads
Start your GDPR today in just a few clicks
      
Get Free Downloads
Start your GDPR today in just a few clicks

GDPR Lawful Basis

Tagged with GDPR HELP, GDPR ADVICE, GDPR
by Adam Brogden
in Blog

10-Oct-2019 11:26

The GDPR says that you must have a valid lawful basis in order to process personal data. There are six available lawful bases for processing. No single basis is ’better’ or more important than the others. Which basis is most appropriate to use will depend on your purpose and relationship with the individual. Most lawful bases require that processing is ‘necessary’ for a specific purpose. If you can reasonably achieve the same purpose without the processing, you won’t have a lawful basis. You must determine your lawful basis before you begin processing, and you should document it. Your privacy notice should include your lawful basis for processing as well as the purposes of the processing.

Take care to get it right first time. You should not swap to a different lawful basis at a later date without good reason. In particular, you cannot usually swap from consent to a different basis.

If your purposes change, you may be able to continue processing under the original lawful basis if your new purpose is compatible with your initial purpose (unless your original lawful basis was consent).

If you are processing special category data you need to identify both a lawful basis for general processing and an additional condition for processing this type of data.

If you are processing criminal conviction data or data about offences you need to identify both a lawful basis for general processing and an additional condition for processing this type of data.

The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:

  1. Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

  2. Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

  3. Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

  4. Vital interests: the processing is necessary to protect someone’s life.

  5. Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

  6. Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

Don’t worry, we have a comprehensive set of documents to help you determine and define your lawful basis and we will certainly help you understand which best applies to you.

Good luck all.