Legal basis for data processing
How to determine the legal basis for processing personal data
This guidance is for any member of University staff tasked with determining the legal basis for processing personal data to ensure that all data processing is lawful.
You will need to use this guidance:
- When customising a privacy notice to ensure it complies with current data protection legislation
- When conducting a ‘data protection impact assessment’ (DPIA)
- When otherwise collecting or receiving personal data for a new initiative
The legal basis
Whenever we use personal data we must have a legal basis for doing so.
Data protection legislation gives us a list of possible legal bases we can choose from.
If you are using special categories of (sensitive) personal data, there are additional legal bases you must comply with. See the guidance on special categories.
Consent
How and when to use consent as the legal basis for processing personal data
Performance of contract
When to use the legal basis that processing personal data is necessary for the performance of a contract
Legal obligation
Processing personal data where there is a legal obligation
Vital interests
Processing is necessary to protect life and death of an individual
Public tasks
Processing personal data on the basis of public tasks
Legitimate interest
Using legitimate interests as a legal basis for processing personal data
Special categories
Legal bases for processing special categories of personal data