At a glance
- You must have a valid lawful basis in order to process personal data.
- There are six available lawful bases for processing. No single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on your purpose and relationship with the individual.
- Most lawful bases require that processing is ‘necessary’ for a specific purpose. If you can reasonably achieve the same purpose without the processing, you won’t have a lawful basis.
- You must determine your lawful basis before you begin processing, and you should document it. ICO has an interactive tool (external link) to help you.
- Take care to get it right first time – you should not swap to a different lawful basis at a later date without good reason. In particular, you cannot usually swap from consent to a different basis.
- Your privacy notice should include your lawful basis for processing as well as the purposes of the processing.
- If your purposes change, you may be able to continue processing under the original lawful basis if your new purpose is compatible with your initial purpose (unless your original lawful basis was consent).
- If you are processing special category data you need to identify both a lawful basis for general processing and an additional condition for processing this type of data.
- If you are processing criminal conviction data or data about offences you need to identify both a lawful basis for general processing and an additional condition for processing this type of data.
- We have reviewed the purposes of our processing activities, and selected the most appropriate lawful basis (or bases) for each activity.
- We have checked that the processing is necessary for the relevant purpose, and are satisfied that there is no other reasonable and less-intrusive way to achieve that purpose.
- We have documented our decision on which lawful basis applies to help us demonstrate compliance.
- We have included information about both the purposes of the processing and the lawful basis for the processing in our privacy notice.
- Where we process special category data, we have also identified a condition for processing special category data, and have documented this.
- Where we process criminal offence data, we have also identified a condition for processing this data, and have documented this.
What are the lawful bases for processing?
The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
For more detail on each lawful basis, read the relevant page of this guide.
When is processing ‘necessary’?
Many of the lawful bases for processing depend on the processing being “necessary”. This does not mean that processing has to be absolutely essential. However, it must be more than just useful, and more than just standard practice. It must be a targeted and proportionate way of achieving a specific purpose. The lawful basis will not apply if you can reasonably achieve the purpose by some other less intrusive means, or by processing less data.It is not enough to argue that processing is necessary because you have chosen to operate your business in a particular way. The question is whether the processing is objectively necessary for the stated purpose, not whether it is a necessary part of your chosen methods.
Why is the lawful basis for processing important?
The first principle requires that you process all personal data lawfully, fairly and in a transparent manner. If no lawful basis applies to your processing, your processing will be unlawful and in breach of the first principle.Individuals also have the right to erase personal data which has been processed unlawfully.The individual’s right to be informed under Article 13 and 14 requires you to provide people with information about your lawful basis for processing. This means you need to include these details in your privacy notice.
The lawful basis for your processing can also affect which rights are available to individuals. For example, some rights will not apply:However, an individual always has the right to object to processing for the purposes of direct marketing, whatever lawful basis applies.The remaining rights are not always absolute, and there are other rights which may be affected in other ways. For example, your lawful basis may affect how provisions relating to automated decisions and profiling apply, and if you are relying on legitimate interests you need more detail in your privacy notice.Please read the section of this Guide on individuals’ rights for full details.
How do we decide which lawful basis applies?
This depends on your specific purposes and the context of the processing. You should think about why you want to process the data, and consider which lawful basis best fits the circumstances. You can use ICO’s interactive guidance tool (external link) to help you.
You might consider that more than one basis applies, in which case you should identify and document all of them from the start.
You must not adopt a one-size-fits-all approach. No one basis should be seen as always better, safer or more important than the others, and there is no hierarchy in the order of the list in the GDPR.
Several of the lawful bases relate to a particular specified purpose – a legal obligation, performing a contract with the individual, protecting someone’s vital interests, or performing your public tasks. If you are processing for these purposes then the appropriate lawful basis may well be obvious, so it is helpful to consider these first.
In other cases you are likely to have a choice between using legitimate interests or consent. You need to give some thought to the wider context, including:
- Who does the processing benefit?
- Would individuals expect this processing to take place?
- What is your relationship with the individual?
- Are you in a position of power over them?
- What is the impact of the processing on the individual?
- Are they vulnerable?
- Are some of the individuals concerned likely to object?
- Are you able to stop the processing at any time on request?
You may prefer to consider legitimate interests as your lawful basis if you wish to keep control over the processing and take responsibility for demonstrating that it is in line with people’s reasonable expectations and wouldn’t have an unwarranted impact on them. On the other hand, if you prefer to give individuals full control over and responsibility for their data (including the ability to change their mind as to whether it can continue to be processed), you may want to consider relying on individuals’ consent.
In more detail
The ICO have produced the lawful basis interactive guidance tool (external link), to give more tailored guidance on which lawful basis is likely to be most appropriate for your processing activities.
Is this different for public authorities?
The basic approach is the same. You should think about your purposes, and choose whichever basis fits best. You can still use ICO’s lawful basis tool (external link) to help you.
The public task basis is more likely to be relevant to much of what you do. If you are a public authority and can demonstrate that the processing is to perform your tasks as set down in UK law, then you are able to use the public task basis. But if it is for another purpose, you can still consider another basis.
In particular, you may still be able to consider consent or legitimate interests in some cases, depending on the nature of the processing and your relationship with the individual. There is no absolute ban on public authorities using consent or legitimate interests as their lawful basis, although there are some limitations. For more information, see the specific guidance page on each lawful basis.
The Data Protection Act 2018 says that ‘public authority’ here means a public authority under the Freedom of Information Act or Freedom of Information (Scotland) Act – with the exception of parish and community councils.
A university that wants to process personal data may consider a variety of lawful bases depending on what it wants to do with the data.
Universities are classified as public authorities, so the public task basis is likely to apply to much of their processing, depending on the detail of their constitutions and legal powers. If the processing is separate from their tasks as a public authority, then the university may instead wish to consider whether consent or legitimate interests are appropriate in the particular circumstances. For example, a University might rely on public task for processing personal data for teaching and research purposes; but a mixture of legitimate interests and consent for alumni relations and fundraising purposes.
The university however needs to consider its basis carefully – it is the controller’s responsibility to be able to demonstrate which lawful basis applies to the particular processing purpose.
Can we change our lawful basis?
You must determine your lawful basis before starting to process personal data. It’s important to get this right first time. If you find at a later date that your chosen basis was actually inappropriate, it will be difficult to simply swap to a different one. Even if a different basis could have applied from the start, retrospectively switching lawful basis is likely to be inherently unfair to the individual and lead to breaches of accountability and transparency requirements.Example
A company decided to process on the basis of consent, and obtained consent from individuals. An individual subsequently decided to withdraw their consent to the processing of their data, as is their right. However, the company wanted to keep processing the data so decided to continue the processing on the basis of legitimate interests.
Even if it could have originally relied on legitimate interests, the company cannot do so at a later date – it cannot switch basis when it realised that the original chosen basis was inappropriate (in this case, because it did not want to offer the individual genuine ongoing control). It should have made clear to the individual from the start that it was processing on the basis of legitimate interests. Leading the individual to believe they had a choice is inherently unfair if that choice will be irrelevant. The company must therefore stop processing when the individual withdraws consent.
It is therefore important to thoroughly assess upfront which basis is appropriate and document this. It may be possible that more than one basis applies to the processing because you have more than one purpose, and if this is the case then you should make this clear from the start.
If there is a genuine change in circumstances or you have a new and unanticipated purpose which means there is a good reason to review your lawful basis and make a change, you need to inform the individual and document the change.
What happens if we have a new purpose?
If your purposes change over time or you have a new purpose which you did not originally anticipate, you may not need a new lawful basis as long as your new purpose is compatible with the original purpose.
However, this does not apply to processing based on consent. Consent must always be specific and informed, and reusing the data for a new purpose would unfairly undermine the original consent. You usually need to get fresh consent which specifically covers the new purpose. If you do get specific consent for the new purpose, you do not need to show it is compatible.
In other cases, in order to assess whether the new purpose is compatible with the original purpose you should take into account:
- any link between your initial purpose and the new purpose;
- the context in which you collected the data – in particular, your relationship with the individual and what they would reasonably expect;
- the nature of the personal data – eg is it special category data or criminal offence data;
- the possible consequences for individuals of the new processing; and
- whether there are appropriate safeguards – eg encryption or pseudonymisation.
This list is not exhaustive and what you need to look at depends on the particular circumstances.
You may find our legitimate interests assessment template (external link) a useful tool for assessing compatibility, as both consider similar factors.
As a general rule, if the new purpose is very different from the original purpose, would be unexpected, or would have an unjustified impact on the individual, it is unlikely to be compatible with your original purpose for collecting the data. You can then only go ahead if you get specific consent for the new purpose, or you can point to a specific legal provision requiring or allowing the new processing in the public interest (in which case your new lawful basis will be legal obligation or public task).
If you are processing special category data, you will need to ensure that you can identify an appropriate condition which applies to your new processing.
The UK GDPR specifically says that further processing for the following purposes should be considered to be compatible lawful processing operations:
- archiving purposes in the public interest;
- scientific research purposes; and
- statistical purposes.
There is a link here to the ‘purpose limitation’ principle in Article 5, which states that “personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”.
Even if the processing for a new purpose is lawful, you will also need to consider whether it is fair and transparent, and give individuals information about the new purpose.
How should we document our lawful basis?
The principle of accountability requires you to be able to demonstrate that you are complying with the UK GDPR, and have appropriate policies and processes. This means that you need to be able to show that you have properly considered which lawful basis applies to each processing purpose and can justify your decision.
You need therefore to keep a record of which basis you are relying on for each processing purpose, and a justification for why you believe it applies. There is no standard form for this, as long as you ensure that what you record is sufficient to demonstrate that a lawful basis applies. This will help you comply with accountability obligations, and will also help you when writing your privacy notices.
It is your responsibility to ensure that you can demonstrate which lawful basis applies to the particular processing purpose.
Read the accountability section of this guide for more on this topic. There is also further guidance on documenting consent or legitimate interests assessments in the relevant pages of the guide.
What do we need to tell people?
You need to include information about your lawful basis (or bases, if more than one applies) in your privacy notice. Under the transparency provisions of the GDPR, the information you need to give people includes:
- your intended purposes for processing the personal data; and
- the lawful basis for the processing.
This applies whether you collect the personal data directly from the individual or you collect their data from another source.
Read the ‘right to be informed’ section of this guide for more on the transparency requirements of the GDPR.
What about special category data?
If you are processing special category data, you need to identify both a lawful basis for processing and a special category condition for processing in compliance with Article 9. You should document both your lawful basis for processing and your special category condition so that you can demonstrate compliance and accountability.
Further guidance can be found in the section on special category data.
What about criminal offence data?
If you are processing data about criminal convictions, criminal offences or related security measures, you need both a lawful basis for processing, and either ‘official authority’ or a separate condition for processing this data in compliance with Article 10. You should document both your lawful basis for processing and your criminal offence data condition so that you can demonstrate compliance and accountability.
Further guidance can be found in the section on criminal offence data.
Thank you for reading.