GDPR - Lawful ground to process

The first principle under the GDPR requires that you process all personal data lawfully, fairly and in a transparent manner in relation to the data subject. Processing is only lawful if you have a lawful basis under Article 6. A controller is “accountable” for and must be able to demonstrate compliance with this basic principle in accordance with Article 5(2). This means you will need to be able to demonstrate that a lawful basis applies.

If no lawful basis applies to your processing, your processing will be unlawful and in breach of the first principle. Data subjects will also have the right to erase personal data which has been processed unlawfully as set out in Article 17(1)(d).

The data subject’s right to be informed under Article 13 and 14 requires you to provide people with information about your lawful basis for processing.  This means you need to include these details in your privacy notice. We discuss later in this Guidance Note what should be contained in your Privacy Notice.

The lawful basis for your processing can also affect which rights are available to data subjects. For example, some rights will not apply:

Lawful Process* Right to
erasure
Right to 
portability
Right to 
object
Consent ✘**
Contract
Legal Obligation
Vital interests
Public task
Legitimate interests

*      A data subject always has the right to object to processing for the purposes of direct marketing, whatever lawful basis applies.

**        however they do still have the right to withdraw consent

The lawful bases for processing personal data are set out in Article 6 of the GDPR (different legal basis apply to special category data). At least one of these must apply whenever you process personal data:           

  1. Consent: the data subject has given clear consent for you to process their personal data for a specific purpose.
  2. Contract: the processing is necessary for a contract you have with the data subject, or because they have asked you to take specific steps before entering into a contract.
  3. Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
  4. Vital interests: the processing is necessary to protect someone’s life.
  5. Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
  6. Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the data subject’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

Where you would like to process special category data, you must meet one of the legal basis for special category data under Article 9 of the GDPR, otherwise it shall be prohibited:

  1. Explicit Consent: the data subject has given his or her explicit consent to the processing for a specified purpose or purposes (unless reliance on consent is prohibited by law).
  2. Employment Relationship: necessary for the purposes of carrying out the obligations and exercising specific rights of the Controller or of the data subject in the field of employment, social security, social protection law, or a collective agreement in so far as authorised by UK law (Part 1 of Schedule 1 of the UK Data Protection Bill provides further detail as to when this condition can be applied).
  3. Vital Interests: necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent.
  4. Not for Profit: processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside the body without the consent of the data subject.[1]
  5. Public: relates to personal data which are manifestly made public by the data subject.
  6. Legal Defence: necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.
  7. Public Interest: necessary for reasons of substantial public interest (Part 2 of Schedule 1 of the UK Data Protection Bill provides further detail as to when this condition can be applied).
  8. Preventative or Occupational Medicine: processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of UK law.
  9. Research:necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

[1] NOTE: this is a very narrow exemption and your reliance upon it should only be after taking legal advice.