To lawfully process personal data, you must be able to demonstrate you have a lawful basis and you should set this out in your privacy notice. There are 6 lawful bases under the GDPR:
- Consent of the data subject
- Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
- Processing is necessary for compliance with a legal obligation
- Processing is necessary to protect the vital interests of a data subject or another person
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller
- Necessary for the purposes of legitimate interests pursued by the data controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.
Our team can guide you through how to identify a lawful basis before you can process personal data, and whether you need to update your current practices.
