Legal basis for data processing
How to determine the legal basis for processing personal data
This guidance is for any member of University staff tasked with determining the legal basis for processing personal data to ensure that all data processing is lawful.
You will need to use this guidance:
- When customising a privacy notice to ensure it complies with current data protection legislation
- When conducting a ‘data protection impact assessment’ (DPIA)
- When otherwise collecting or receiving personal data for a new initiative
The legal basis
Whenever we use personal data we must have a legal basis for doing so.
Data protection legislation gives us a list of possible legal bases we can choose from.
If you are using special categories of (sensitive) personal data, there are additional legal bases you must comply with. See the guidance on special categories.