Part of the first principle of GDPR is the ability to identify the legal basis for processing personal data.  This helps to satisfy all three of the elements of the joint principle of being “legal, fair and transparent”.  As has been mentioned in the {} blog, there can be more than one legal process that relates to the various elements of the interaction between an organisation and an individual.  It should be said that while no single basis of processing is legally any better than any other, it is best to get it right first time around as changing things can prove to be time consuming.


What are the Bases for Processing

The diagram below shows what they are and there will be a short explanation about each of them below it.  Each basis for processing will deal with a particular characteristic of the interaction between the customer and the individual.


Wherever a contract exists, written or verbal, this will be the basis for collating and storing the basic information about an individual relevant to that process.  Be wary that no money needs to change hands for a contract to exist as the highest definition of a contract is that “goods and/or services are provided in return for a reward”.  This definition would, for example include interaction where bartering is the method used to provide the reward.

A contract exists between an organisation and a client/customer/member as well as between an employee and an employer.

A contract as basis for processing may not be the only basis of processing for one relationship.



Consent is perhaps the most misused phrase in relation to data protection as there is a specific set of circumstances that defines consent with the most recent data protection legislation.

Consent can only be agreed as a basis for processing where:

Believe it, or not, this is such a huge topic and I will write a separate blog on this topic.


Legitimate Interest

This basis can be used where the purpose for you collating and storing data is not directly related to the primary interaction, but you believe is required to safely discharge your responsibilities towards an individual.

Most often legitimate interest is used as the basis for processing special category data, or for the security and wellbeing of individuals in a non-emergency situation.  For example, an employee has a right to have information relevant to their employment on their record and for the employer to ensure that this information in used to ensure fairness in dealing with their employee.  This information can be health related, preference related, etc. but it will always need to be utilised with sensitivity and it cannot be ignored.


Legal Obligation

Legal obligation is the primary basis for processing where a contract cannot be used, like a council and their tenants, a school and their pupils and other such relationships.

Employers also utilise the legal obligation basis for processing as they have to provide income data to the HMRC.

If there is no legal obligation this should not be your basis for processing information about an individual.


Public Interest – or Public Task

For once there is a clear definition from the regulations in that – “the relevant task or function must have a clear basis in law”.

Still unsure?  The real point is that your overall purpose must be to perform a public interest task or exercise official authority, and that overall task or authority has a sufficiently clear basis in law.

Obviously, this captures the processes used by all law enforcement agencies for normal processes (for extreme activities see the explanation in the Vital Interest section) and our lovely meter attendants (yes – our number plates do identify us).


Vital Interest

Again, we have another definition to help us here. This time it is:

The processing of personal data should also be regarded as lawful where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person. Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis”.

Decoded this means using information about a person in an emergency (potentially life threatening) situation – and it doesn’t have to be about the person you are talking to.  The most frequent use I have come across would be using the emergency services.  What this, therefore, means is that there are some cases where, as an organisation, you can share information without specific consent.


Multiple uses of the bases of processing

With one relationship, either organisation and a client/customer/member, or an employee and an employer more than one basis for processing can exist and this is a very frequent occurrence.

Let’s look at some basic examples:

A School

Legal Obligation for                      Identity, educational record, HMRC record (staff).

Consent for                                     Use of images (including social media).

Legitimate Interest for                 Health, preferences.

Vital Interest for                            Emergency situations.

Contractual Obligation for           Employment (of staff).


A Retailer

Contractual Obligation for           Purchase, identity, guarantee, payment, employment.

Vital Interest for                            Emergency situations.

Legitimate Interest for                 Delivery (may include data sharing).

Legal Obligation for                     HMRC record (staff).



There is so much more information available, some of it very detailed.  Please look through the other blogs and see if the information you want is provided.


If not, we would be pleased to answer your enquiry through enquiries@eyebray.com , or visit

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/ for more information direct from the ICO.


2 Responses

Leave a Reply

Your email address will not be published. Required fields are marked *