Skip to main content

Lawful basis for processing

Processing of Personal data

To legally process personal data at least one of the following conditions must be met:

  1. Consent - The individual has given consent to the processing for one or more specific purposes. Consent will be much harder to obtain under the Regulation.
  2. Necessary for performance of a contract - The processing is necessary for the performance of a contract with the individual or in order to take steps at the request of the individual prior to entering into a contract.
  3. Legal obligation - The processing is necessary for compliance with a legal obligation to which the data controller is subject. Only legal obligations under Union or Member State law will satisfy this condition. However, that law need not be statutory (e.g. common law obligations are sufficient).
  4. Vital interests - The processing is necessary in order to protect the vital interests of the individual or of another natural person. This is typically limited to processing needed for medical emergencies.
  5. Public functions - The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Those functions must arise under Member State or EU law.
  6. Legitimate interests - The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Controllers should undertake a legitimate interests assessment which involves a “careful assessment of” the underlying processing to ensure it properly balances the interest of the controller against any potential intrusion to the individual’s privacy. In particular, would the individual “reasonably expect” that processing for that purpose will take place.
Legitimate Interests Assessment (LIA)

When seeking to rely upon Legitimate Interest as a legal basis for processing, the University will conduct a Legitimate Interest Assessment using the guidance on the ICO's website and their LIA template. This will be reviewed by the University's Information and Data Compliance Team.

Processing of special categories of personal data

GDPR places much stronger controls on the processing of special category data. Where sensitive personal data is processed, it must also satisfy at least one of the following special category personal data processing conditions:

  1. Explicit consent - The individual has given explicit consent. However, Union or Member State law may limit the circumstances in which consent is available.
  2. Legal obligation related to employment - The processing is necessary for a legal obligation in the field of employment and social security law or for a collective agreement.
  3. Vital interests - The processing is necessary in order to protect the vital interests of the individual or of another natural person. This is typically limited to processing needed for medical emergencies.
  4. Not for profit bodies - The processing is carried out in the course of the legitimate activities of a not-for-profit body and only relates to members or related persons and the personal data is not disclosed outside that body without consent.
  5. Public information - The processing relates to personal data which is manifestly made public by the data subject.
  6. Legal claims - The processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.
  7. Substantial public interest - The processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law.
  8. Healthcare - The processing is necessary for healthcare purposes and is subject to suitable safeguards.
  9. Public health - The processing is necessary for public health purposes and is based on Union or Member State law.
  10. Archive - The processing is necessary for archiving, scientific or historical research purposes, or statistical purposes and is based on Union or Member State law. Member States can introduce additional conditions in relation to health, genetic, or biometric data.