Under GDPR, we must have a lawful basis for processing personal data
What is a lawful basis?
The GDPR provides a list of reasons that organisations can use to legitimately process personal data. These are known collectively as the Lawful Bases for Processing.
What are the lawful bases for processing data under GDPR?
Please see the full list of lawful bases below:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: Processing the personal data is necessary for the purpose of fulfilling a contract you have with an individual
(c) Legal obligation: It is necessary to process the data to comply with the law.
(d) Vital interests: Processing the personal data is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
It is a common myth that under GDPR it is only possible to process personal data if you have consent from the individual first. In reality, if any of the lawful bases (b) – (f) are applicable, consent is not required.
What about special category data?
The GDPR has classified some types of personal data as being more sensitive than others. These types of personal data are known as special category data. The following data is considered to be special category data under GDPR:
- personal data revealing racial or ethnic origin;
- personal data revealing political opinions;
- personal data revealing religious or philosophical beliefs;
- personal data revealing trade union membership;
- genetic data;
- biometric data (where used for identification purposes);
- data concerning health;
- data concerning a person’s sex life; and
- data concerning a person’s sexual orientation.
We cannot process any of the categories of personal data above unless we have both a lawful basis for processing the personal data from the list above AND something called a Condition for Processing. Conditions for processing are essentially another list of reasons that the personal data can be processed. The full list of conditions for processing is as follows:
(a) Explicit consent
(b) Employment, social security and social protection (if authorised by law)
(c) Vital interests
(d) Not-for-profit bodies
(e) Made public by the data subject
(f) Legal claims or judicial acts
(g) Reasons of substantial public interest (with a basis in law)
(h) Health or social care (with a basis in law)
(i) Public health (with a basis in law)
(j) Archiving, research and statistics (with a basis in law)
So, to recap:
- If it's personal data, you need a Legal Basis to process it
- If it's Special Category Data (i.e. sensitive categories of data outlined in the list above), you need a Legal Basis AND a Condition for Processing to do so
What lawful bases do the Liberal Democrats use to process personal data?
A full list of the lawful bases we use for each type of data that we process can be found here: www.libdems.org.uk/table-of-legal-basis.
What should I do if someone asks me about our lawful basis for processing personal data?