Lawful processing and transfer of personal data overview

The Lawful processing and transfer of personal data subtopic in Lexis®PSL explains and provides practical guidance on the six potential lawful grounds for processing personal data under the UK General Data Protection Regulation (UK GDPR), also known as the legitimate grounds or conditions for processing.

Why is this important?

An organisation cannot simply process personal data because it wishes to do so. It can only process personal data if it satisfies one of the conditions set out in Article 6(1) of the UK GDPR. These are commonly known as the ‘lawful grounds’, ‘legitimate grounds’ or ‘conditions’ for processing.

If your organisation processes personal data in the absence of a lawful ground, it will breach the UK GDPR. Failing to comply with the UK GDPR can expose an organisation to serious reputational damage, claims by aggrieved data subjects and fines up to £17.5m or up to 4% of the total worldwide annual turnover.

The lawful grounds for processing personal data under UK GDPR

There are six potentially lawful grounds for processing personal data:

  • the data subject has given consent to the processing of their personal data for one or more specific purposes
  • processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject before entering into a contract
  • processing is necessary for compliance with a legal obligation to which you are subject
  • processing is necessary to protect the vital interests of the data subject or another natural person
  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in you
  • processing is necessary for the purpose of the legitimate interests pursued by you or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child

For guidance on processing sensitive personal data, see Lexis®PSL Practice Note: Processing personal data—lawful processing—Grounds required for special category personal data.

Apart from processing on the basis of consent, each lawful ground for processing personal data is conditional on the processing being ‘necessary’ for the particular purpose to which the ground relates. See Lexis®PSL Practice Note: Processing personal data—lawful processing—Processing must be necessary.

Consent

There are two levels of consent depending on the type of data you are processing:

  • standard consent, which is required when you rely on consent to process non-sensitive personal data
  • explicit consent, which is required when you rely on consent to process special category personal data

Where processing is based on consent, it is for you to demonstrate that the data subject has given that consent.

The Information Commissioner’s Office (ICO) has published guidance on consent which illustrates the increased compliance burden involved in obtaining, demonstrating and recording valid consent.

For more guidance, see Lexis®PSL Practice Notes: Processing personal data—standard of consent and Processing personal data—obtaining, recording and managing consent. Many organisations use a preference centre to obtain and manage consent—see Lexis®PSL Precedent: Preference centre supplier questionnaire.

Standard consent for non-sensitive personal data

Under the UK GDPR, consent must be:

  • freely given
  • specific
  • informed
  • unambiguous

Where you have difficulty meeting the standard for consent, this is a warning sign that consent may not be the most appropriate basis for your processing and you should look for another basis.

For more guidance, see Lexis®PSL Practice Note: Processing personal data—standard of consent—Standard consent—personal data other than special category data.

Explicit consent for special category personal data

For guidance on the meaning of the term ‘special category personal data’, see Lexis®PSL Practice Note: Key definitions under data protection law—Special category personal data.

References:

Article 9 of Retained Regulation (EU) 2016/679, UK GDPR

To process special category personal data, you:

There are ten potential specific conditions for processing special category personal data, the first of which is that the data subject has given explicit consent, unless EU or domestic law prohibits consent in the particular circumstances.

This means if you are relying on consent to process special category personal data, that consent must be explicit, as well as being specific, informed and unambiguous. For more guidance, see Lexis®PSL Practice Note: Processing personal data—standard of consent—Explicit consent—special category data.

Performance of a contract

You will be permitted to process personal data where necessary:

  • for the performance of a contract to which the data subject is party, or
  • to take steps at the request of the data subject before entering into a contract

There is very little commentary on this ground in the UK GDPR recitals, which simply say that processing should be lawful where it is necessary in the context of a contract or the intention to enter into a contract. For more guidance, see Lexis®PSL Practice Note: Processing personal data—lawful processing—Performance of a contract.

Compliance with a legal obligation

You will be able to process personal data, where doing so is necessary for compliance with a legal obligation to which you are subject.

The processing must have a basis in EU or domestic law, rather than a contractual obligation, but the UK GDPR does not require a specific law for each individual processing—several processing operations may be based on the same piece of law. An obvious example is processing for the purpose of discharging client due diligence (CDD) obligations under the Money Laundering Regulations 2017.

This ground is likely to be relevant to commercial organisations in relation to CDD and similar legal obligations, but it will be important to: t

  • ensure the processing does not go beyond whatever is necessary to comply with the legal obligation
  • give notice of the processing to the data subject

Vital interests of the data subject or of another natural person

The UK GDPR recitals appear to anticipate a high threshold for this ground:

‘…processing of personal data should…be regarded to be lawful where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person.’

Processing based on the vital interest of someone other than the data subject should take place only where the processing cannot be manifestly based on another legal basis.

The ICO’s UK GDPR consent guidance simply states that you can process personal data if it is necessary to protect someone's life. This could be the life of the data subject or someone else.

This ground is unlikely to be helpful for most commercial processing activities.

For the performance of a task carried out in the public interest or in the exercise of official authority vested

This ground is unlikely to be relevant to most commercial organisations and has therefore not been given further consideration in this Practice Note. Organisations wishing to rely on this ground should consider UK GDPR, recital 45.

Legitimate interests

Processing is lawful where it is necessary for the purposes of the legitimate interests of the controller or a third party, subject to exceptions. See Lexis®PSL Practice Note: Processing personal data—legitimate interests and GDPR compliance—conducting a legitimate interest assessment.

It is for you to demonstrate that your compelling legitimate interest overrides the interests or the fundamental rights and freedoms of the data subject. The UK GDPR recitals mention, several times, the need to conduct some sort of an assessment when relying on this ground, ie you will need to conduct a legitimate interests assessment. See Lexis®PSL Precedent: Legitimate interest assessment—data processing.

Legitimate interests is not an appropriate ground for public authorities, as it is for the domestic legislator to provide by law for the legal basis for public authorities to process personal data.