Any organisation processing personal data needs to have a valid lawful basis to do so.
Under Data Protection law we must process all personal data lawfully, fairly and in a transparent manner.
There are six lawful bases for processing, which is most appropriate to use will depend on the purpose of the processing and the nature of our relationship with you.
The lawful bases for processing
At least one must apply whenever we process your personal data. A brief explanation is below, for more detail see Article 6 of the GDPR.
- Consent: you have given clear, active, consent for us to process your personal data for a specific purpose.
- Contract: the processing is necessary for a contract you have with the us, or because you have asked us to take specific steps before entering into a contract.
- Legal obligation: the processing is necessary for us to comply with the law (not including contractual obligations).
- Vital interests: the processing is necessary to protect someone’s life.
- Public task: the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.
- Legitimate interests: the processing is necessary for our legitimate interests (or the legitimate interests of a third party) unless there is a good reason to protect your personal data which overrides those interests.
What rights are affected?
The lawful basis for your processing can also affect which rights are available to individuals. For example, some rights will not apply as indicated in the table below with an ‘X’:
|Right to erasure||Right to portability||Right to object|
|Consent||X - but not to withdraw consent|