Legal basis for processing
How to determine the legal basis for processing personal data.
This guidance is for any member of University staff tasked with determining the legal basis for processing personal data.
You will need to use this guidance:
- When customising a privacy notice to ensure it complies with current data protection legislation
- When conducting a ‘data protection impact assessment’ (DPIA)
- When otherwise collecting or receiving personal data for a new initiative
To understand the technical data protection terminology used throughout this guidance see our definitions list.
The legal basis
Whenever we use personal data we must have a legal basis for doing so.
Data protection legislation gives us a list of possible legal bases we can choose from.
- necessary for contractual arrangements
- processing to comply with legal obligations
- processing to protect vital interests
- processing to perform a task in the public interest
- processing necessary for legitimate interest
If you are using special categories of (sensitive) personal data, there are additional legal bases you must comply with. See the guidance on special categories.