Lawful processing

A key principle in the GDPR is that data controllers need to process personal data lawfully, fairly and transparently.

Like the Data Protection Act 1998, the GDPR sets out the list of lawful justifications for processing - often referred to as the “conditions for processing”. But what is new under the GDPR is an explicit obligation to tell people the legal basis for processing their personal data. So you now have to document and communicate this. 

Another reason for needing to be clear about your lawful basis for processing personal data is that it affects the extent to which the individual can limit that processing. For example, if you are lawfully processing someone’s personal data because it is necessary for the performance of their employment contract, then they do NOT have the right to object to that processing.

  • The individual has given consent to the processing of his or her personal data for one or more specific purposes. Various further conditions apply where you wish to rely on consent as a lawful basis; see “Consent” section below.

  • Processing is necessary for the performance of a contract to which the individual is party or in order to take steps at the request of the individual prior to entering into a contract

  • Processing is necessary for compliance with a legal obligation to which the controller is subject

  • Processing is necessary in order to protect the vital interests of the individual or of another natural person

  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

  • Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the individual which require protection of personal data, in particular where the individual is a child. Public authorities may not rely on this ground in the performance of their tasks; see “Public Authorities” below.

In addition to meeting one of the conditions above, further conditions must be met if you are processing special categories of personal data, including information about an individual’s:

  • Racial or ethnic origin

  • Political opinions

  • Religious or philosophical beliefs

  • Trade union membership
  • Genetic data

  • Biometric data

  • Health

  • Sex life or sexual orientation

Further conditions must also be met if you are processing personal data relating to criminal convictions and offences (including alleged offences).

Some of the further conditions that must be met are set out in the GDPR; others are contained in the UK Data Protection Act 2018.

Consent is only one of the six lawful grounds on which personal data can be processed; in many situations, it will be more appropriate to rely on another lawful basis. However if you do need to rely on consent as a lawful basis, it must be freely given, specific, informed and unambiguous. The GDPR contains various provisos about consent, including: 

  • You must be able to demonstrate an individual’s consent where you are relying on this ground.

  • If consent is given as part of a written declaration which also concerns other matters, it must be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. 

  • Individuals have the right to withdraw their consent at any time, and they must be informed of this right prior to consent being given. If an individual withdraws their consent, this does not affect the lawfulness of processing based on consent prior to the withdrawal. 

  • Silence, pre-ticked boxes or inactivity should not constitute consent.

  • When the proposed processing covers multiple purposes, consent should be given for all of them.

  • Consent should not be regarded as freely given if the individual has no genuine or free choice or is unable to refuse or withdraw consent without detriment.

  • Consent should not provide a valid legal ground for processing of personal data where there is a clear imbalance between you and the individual, in particular where you are a public authority and it is therefore unlikely that consent was freely given.
  • Consent is presumed not to be freely given if it does not allow separate consent to be given to different processing operations despite it being appropriate in the individual case. 

  • Consent is presumed not to be freely given if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.

The UK Data Protection Act 2018 provides that a public authority will only be a public authority for GDPR purposes when performing a task carried out in the public interest, or in the exercise of official authority vested in it. For GDPR purposes, a UK public authority is an entity which is a public authority under the Freedom of Information Act 2000 (or under equivalent legislation in Scotland), subject to some exceptions. 

Aside from limiting public authorities’ ability to rely on consent as a lawful basis for processing (see above), GDPR also provides that public authorities in the performance of their tasks may not rely on the “legitimate interest” lawful basis for processing data. 

The UK Information Commissioner has suggested that the legitimate interests lawful basis for processing will be particularly relevant for public authorities with commercial interests. 

Public authorities are also subject to other obligations under GDPR, for example, it is mandatory for them to appoint a Data Protection Officer.

  1. Analyse what your organisation does with personal information and cross-check those activities against the permitted conditions for processing.

  2. Download our privacy notice checklist and check that you are providing the right information about what personal data you process, why and how. 

Main contacts