The Information Commissioner`s Office (ICO) guidelines on a legal basis state that no base is “better” or more important than the others, all are equally valid; In deciding on which basis to rely, the most appropriate basis depends on the purpose for which the data is processed and the relationship with the individual. The legal basis must be determined before the start of the processing and must be necessary to achieve the purpose for which it was processed. A written contract (or other legal act) that exists whenever a data controller uses a processor. The contract is important so that both parties can understand their responsibilities and obligations. If a processor uses an external organisation (processor) to assist it in the processing of a controller`s personal data, it must have concluded a written contract with that sub-processor. Each contract essentially means that personal data relating to a living person will be processed. The conclusion of a contractual relationship therefore depends on the provision of personal data and, depending on the nature of the contract, this concerns at least the contact details of the data subjects. However, some types of contracts require a much larger amount of personal data. For example, in the case of an insurance contract. It is therefore crucial not to stretch the definition of a fair contract to avoid having to use consent.

So many situations could be considered a contract, and there may be cases where a data controller takes a broader approach to using a contract as a basis for lawful processing. This condition is particularly relevant for employers, for example, if you are: Is IIED willing to explain this treatment to the person? This is a processing activity that a data subject would normally expect from an organisation to which he or she provides his or her personal data, such as marketing and fraud prevention activities. If legitimate interest is used as a legal basis for processing, the organisation must perform a balancing test: is this processing activity necessary for the functioning of the organisation? Does the processing outweigh the risks to a data subject`s rights and freedoms? If the answer to any of these questions is no, the organization cannot use the legitimate interest as a legal basis for the processing. A church processes the personal data of its members and supporters in order to carry out church activities and provide pastoral care. The Church can rely on the charitable condition to process data that reveals its religious beliefs. Use of consent as a legal basis for lawful processing You might think that more than one basis applies, in which case you should identify and document them all from the start. Under EU data protection law, there must be a legal basis for any processing of personal data (unless there are exceptions or exceptions). It is important to remember that once you start processing this data, you become the data controller and this condition does not release you from your other obligations under the UK GDPR. You must be able to demonstrate at all times that your processing is generally lawful, fair and transparent and, in particular, that you have a valid legal basis.

You must take into account the individual`s reasonable expectations regarding further use of the data to ensure that your treatment is fair. In addition to consent, all other legal bases for data processing require that the processing be necessary. This means that organizations should only collect and process information for specific purposes. This list focuses on scenarios where processing is necessary for the conduct of transactions and falls under the legal basis of contracts, legal obligations or legitimate interests. We wrote a completely different blog post about consent, which you can read about here. You should note that when using legitimate interests for marketing activities, the right of object of data subjects is absolute: they must stop the processing if someone objects.