Skip to content
LegalVision UK

What is a Lawful Basis For Processing Personal Data?

Avatar photo

By Sej Lamba

Updated on
Reading time: 5 minutes

Meets editorial guidelines

This article meets our strict editorial principles. Our lawyers, experienced writers and legally trained editorial team put every effort into ensuring the information published on our website is accurate. We encourage you to seek independent legal advice. Learn more.

Follow us on LinkedIn
Table of Contents

If your business processes personal data, data law compliance should be a top priority. The UK General Data Protection Regulation (‘UK GDPR’) is the law governing the use of personal data. Under the UK GDPR rules, an organisation must determine a lawful basis (or bases) for processing personal data before beginning to process it. Otherwise, you risk facing serious fines. This article will explore what a lawful basis for processing personal data is.

What Are the Lawful Bases?

Processing personal data is only lawful if the data protection law rules allow it. The UK GDPR rules set out six lawful bases for processing personal data. Therefore, you must establish at least one of the following bases to process personal data lawfully. Notably, it is up to your organisation to determine which lawful basis for processing personal data is appropriate. 

1. Consent

Consent is when your customer or employee has clearly accepted your business’ decision to process their personal data for a specific purpose. The person must give their consent:

  • freely; 
  • for the specified purposes your business outlines; and
  • in an informed manner, meaning they understand the implications of providing consent. 

An example of consent being used as a lawful basis is when a company asks individuals to consent to receive marketing emails from them.

When relying on consent, you will need to keep appropriate records. You should keep clear records of: 

  • what an individual has consented to; and 
  • when and how the consent was obtained so that you can demonstrate compliance in the event of a complaint.

Consent given once cannot ‘last forever’. Instead, how long consent remains valid depends on the circumstances, such as the:

  • context in which an individual gave consent; and 
  • expectations of the individual who gave their consent.

2. Contract

Another legal basis for processing personal data is to perform a contract.  You can rely on this basis if you need to process personal data to: 

  • perform a contract, such as delivering a service; or 
  • comply with the data subject’s demands, such as providing a quote. 

The processing must be ‘necessary’ for the performance of the contract.

Some common examples of this include:

  • using a customer’s banking and contact details to send them an invoice to pay for services under a contract; and
  • an employer using an employee’s personal data to fulfil their obligations under the employment relationship, for example, to pay the employee a salary. 

3. Legal Obligations

You can also process personal data if it is necessary to comply with the law. For example, this ground could be used where an employer needs to comply with its legal obligations to disclose employee salary details to HMRC. 

4. Vital Interests

Processing personal data is also lawful where it is necessary to protect someone’s life. For example, if someone has an accident and you need to share their details with medical staff in an emergency, processing personal data would be necessary. However, in practice, this legal basis is very limited in scope.

5. Public Task

Another basis you can rely upon to process personal data is to perform a task in the public interest or for your official functions where the task or function has a clear basis in law. 

This ground usually applies to public authorities and is unlikely to apply to commercial organisations. 

6. Legitimate Interests

In some instances, processing personal data is necessary for your legitimate interests or the legitimate interests of a third party. However, such interests cannot outweigh the rights of the data subject. 

Where you rely on this ground, you must conduct a legitimate interest assessment. A legitimate interest assessment is a three-part test. The test involves: 

  • identifying a legitimate interest;
  • showing that your processing is necessary to achieve the interest; and 
  • balancing that against the individual data subject’s rights.

In practice, this is a very flexible ground under the UK GDPR. An example where businesses rely on this ground is when processing personal data for direct marketing activities.

How Should Businesses Process Personal Data? 

You must determine your lawful basis before you begin processing personal data. Once you have considered the appropriate lawful basis for which you will process personal data, you should document this. For example, you can include this in your Record of Processing Activities. 

You should also set out your lawful bases for processing personal data in your Privacy Policy document. If your purposes for processing personal data change, you will generally then need to consider a new lawful basis. 

Special category data, criminal conviction data, and data about offences require additional consideration. When processing these types of data, extra legal rules apply in addition to considering the appropriate lawful basis for processing. 

Front page of publication
GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now
Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

Key Takeaways

In order to process personal data, your organisation must determine an appropriate ‘lawful basis’ for processing that data. You should identify an appropriate lawful basis before your organisation processes personal data. Lawful bases for processing should be documented. For example, they should be laid out in your organisation’s Privacy Policy. 

If you need help complying with the UK GDPR compliance, our experienced data, privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.

Register for our free webinars

Corporate Governance 101: Responsibilities For Directors

Online
Learn key responsibilities for new directors to avoid legal risks. Join our free webinar to learn more.
Register Now

Business Divorces: Exiting Directors and Shareholders From Your Company

Online
Removing a board director is not simple. Join our free webinar to understand your options. Register today.
Register Now
See more webinars >
Sej Lamba

Sej Lamba

Read all articles by Sej

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

Related articles

3 Documents Your Company Needs to Demonstrate GDPR Compliance

4 Common Challenges Your Company Will Face With the GDPR in the UK

Are CCTV Systems Safe for My UK Business to Use Under the GDPR?

Are Email Disclaimers Mandatory for UK Businesses Under the GDPR?

We’re an award-winning law firm

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards

  • Award

    2021 Fastest Growing Law Firm in APAC - Financial Times