Data Protection Basics: The 6 lawful bases
A quick guide to the six lawful bases for processing personal data
One of the fundamental data protection principles is that our handling of personal data must be ‘lawful, fair and transparent’. To be lawful, clearly, we shouldn’t do anything illegal in general terms. But what else does it mean to be lawful?
We’re given six lawful bases to choose from under UK/EU GDPR. For each purpose we use personal data for, we need to match it with an appropriate lawful basis.
For example a purpose might be:
- Sending marketing emails to our customers
- Profiling our audience to better target our marketing
- Handing staff payroll data to pay salaries
- Handling customer enquiries about our services
- Delivering a product a customer has requested
- Implementing measures to prevent fraud
We need to select the most appropriate lawful basis and meet its own specific requirements. Each basis is equally valid, but one may be more appropriate than others for any specific task. We’re legally obliged to set out the lawful bases we rely on in our privacy notices.
If none of them seem to work, you may want to question whether you should be doing what you’re planning to do.
Quick guide to the 6 lawful bases
(This is not intended to be exhaustive, do check the ICO’s Lawful Basis Guidance)
This lawful basis will be appropriate if you need to process an individual’s personal information to deliver a service to them. Or you need collect certain details to take necessary steps before entering into a contract or agreement.
Example 1: An individual purchases a product from you and you need to handle specific personal information about them in order to deliver that product, including when you acknowledge their order, provide essential information, and so on.
Example 2: Someone asks you to give them a quote for your services, and you need certain information about them in order to provide that quote.
- It doesn’t apply to other purposes you may use the data for which are not essential.
- It’s most likely to be used when people are agreeing to T&Cs, although it can also be used where a verbal agreement or request for information is made.
- The person whose data you’re processing must be party to the contract or agreement with you. It doesn’t apply if you want to process someone’s details, but the contract is with someone else, or with another business.
2. Legal obligation
There may be circumstances where you are legally obliged to conduct certain activities, which will involve processing personal data. This could be to comply with common law or to undertake a statutory obligation.
Example 1: You are offering a job to someone outside the EU. You need to check they have a visa to work in the UK, as this is a legal obligation.
Example 2: Airlines and tour operator collect and process Advance Passenger Information (API) as this is a legal requirement for international air travel.
Legal obligation tips
- Legal obligation shouldn’t be confused with contractual obligations
- Document your decision. You should be able to either:
a) identify the specific legal provision you are relying on
b) the source of advice/guidance which sets out your obligation.
3. Vital interests
You can collect, use or share personal data in emergency situations, to protect someone’s life.
Example: A colleague collapses at work, is unable to talk, and you need to tell a paramedic they have a medical condition. Common sense should prevail.
Vital interest tips
- It’s very limited in scope, and should generally only apply in life and death situations.
- It should only be used when you manifestly can’t rely on another basis. For example, if you could seek consent, you can’t rely on vital interests.
4. Public task
You can process personal data if necessary for public functions and powers that are set out in law, or to perform a specific task in the public interest.
Most often this basis will be relied upon by public authorities and bodies, but it can apply in the private sector where organisations exercise official authority, or carry out tasks in the public interest.
Public task tips
- If you could reasonably perform your tasks or exercise powers in a less intrusive way this basis won’t be appropriate. The processing must be necessary.
- Document your decisions, specify the task, function or power, and identify the statutory or common law basis.
5. Legitimate Interests
This is the most flexible lawful basis, but don’t just assume what you’re doing is legit. It’s most likely to be appropriate when you use people’s data in a way they’d reasonably expect. Where there is minimal impact on them, or where you have a compelling justification.
Legitimate interests must be balanced. You must balance the organisation’s interests against the interests, rights and freedoms of individuals. If your activities are beyond people’s reasonable expectations or would cause unjustified harm, their rights and interests are likely to override yours. Legitimate interests – when it isn’t legit
Legitimate Interests tips
- Conduct and document a Legitimate Interests Assessment (LIA). This may be relatively simple and straight-forward, or more complex.
- Consider whether you can provide people with an easy way to object. This is not essential in all situations (e.g. fraud protection).
- Be open about where you rely on legitimate interests so its likely to be in people’s reasonable expectations.
- Remember to include what your legitimate interests are in your privacy notice.
- Check the ICO’s guidance on when legitimate interests can be relied upon for marketing activities.
This is when you choose to give individuals a clear choice to use their personal details for a specific purpose and they give their clear consent for you to go ahead. The law tells us consent must be a ‘freely given, specific, informed and unambiguous’ indication of someone’s wishes given by a ‘clear affirmative action’.
Consent is all about giving people a genuine choice and putting them in control. They must be able to withdraw their consent at any time, without a detrimental impact on them. Consent, getting it right.
- It should be clear what people are consenting to
- Consent shouldn’t be bundled together for different purposes, each purpose should be distinct
- It must not be conditional – people shouldn’t be ‘forced’ to consent to an activity as part of signing up to a service.
- Consent is unlikely to be appropriate where there may be an imbalance of power. For example, if an employee would feel they have no option but to give consent to their employer (or might feel they could be penalised for not giving it).
- The law sometimes requires consent. For example, under the electronic marketing rules consent is sometimes a requirement.
In summary, consider all the purposes you have for processing personal data. Assign a lawful basis to each purpose and check you’re meeting the specific requirements for each basis. Tell people in your privacy notice the lawful bases you rely on, and specifically explain your legitimate interests.
Finally, don’t forget, if you’re processing special category data (for example data revealing racial or ethnic origin, health data or biometric data) you’ll need a lawful basis, plus you’ll need to meet one of the conditions under UK GDPR Article 9. For criminal convictions data you’ll need a lawful basis, plus one of the conditions under UK GDPR Article 10.