Processing personal data—lawful processing

The following Risk & Compliance practice note provides comprehensive and up to date legal information covering:

  • Processing personal data—lawful processing
  • The lawful grounds for processing personal data under UK GDPR
  • Processing must be necessary
  • Consent
  • Standard consent for non-sensitive personal data
  • What is valid consent?
  • Opt-out consent
  • Freely given consent
  • Capacity to consent
  • Where does this leave you?
  • More...

Processing personal data—lawful processing

An organisation cannot simply process personal data because it wishes to do so. It can only process personal data if it satisfies one of the conditions set out in Article 6(1) of Regulation 2016/679, General Data Protection Regulation. These are commonly known as the ‘lawful grounds’, ‘legitimate grounds’ or ‘conditions’ for processing.

If your organisation processes personal data in the absence of a lawful ground, it will breach the UK GDPR. Failing to comply with the UK GDPR can expose an organisation to serious reputational damage, claims by aggrieved data subjects and fines up to £17.5m or up to 4% of the total worldwide annual turnover.

The lawful grounds for processing personal data under UK GDPR

Under the UK GDPR, there are six potentially lawful grounds for processing personal data:

  1. the data subject has given consent to the processing of their personal data for one or more specific purposes—see below: Consent

  2. processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject before entering into a contract—see below: Performance of a contract

  3. processing is necessary for compliance with a legal obligation to which you are subject—see below: Compliance with a legal obligation

  4. processing is necessary to protect the vital interests of the data subject or another natural

Popular documents