There are 6 lawful bases for processing personal data under the UK GDPR (General Data Protection Regulation);
the lawful bases for processing personal data are outlined in Article 6, and they are as follows:
- Consent: The individual has given clear consent for you to process their personal data for a specific purpose.
- Contractual necessity: Processing is necessary for the performance of a contract to which the individual is a party or to take steps at the request of the individual prior to entering into a contract.
- Legal obligation: Processing is necessary for compliance with a legal obligation to which the data controller is subject.
- Vital interests: Processing is necessary to protect the vital interests of the individual or another person.
- Public task: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller.
- Legitimate interests: Processing is necessary for the purposes of the legitimate interests pursued by the data controller or a third party, except where such interests are overridden by the interests, rights, or freedoms of the individual.
These lawful bases provide a framework for organisations to ensure that they are processing personal data in a manner that is fair, transparent, and respects the rights of individuals under the UK GDPR.