There are 6 legally recognised grounds for processing personal data. Your organisation will need to determine which is appropriate for each data flow. One or more grounds may apply. No one ground is more viable than another in law – it will simply depend on the purpose behind the use of the data.
- Agreement by direct Consent: ie the person whose data the organisation wishes to hold, has agreed that the organisation may process their personal details for whatever reason has been agreed.
- Agreement via a Contract: ie where the person enters into a contract that requires specific personal data to be held by the organisation as it is necessary for the organisation in order that they might fulfil their end of the deal .
- Legal obligation: ie where the law requires that the organisation collates and holds the personal data – and thus does not require either consent or contract with the individual concerned
- Vital interests: ie where data must be held to preserve someone’s life
- Public task: ie where there is a function carried out by the organisation, in line with its legal obligations, where the processing of personal data is required in order to fulfil that function
- Legitimate interests: ie there is good reason for the organisation to collate the personal data in order to carry out its day to day activities, or those of a third party, unless this is superseded by the necessity to protect that individual’s information
In some instances, when there is Special Category data or criminal offence data, a further check that there is a legal ground for collating and processing this data. In such instances, the individual needs to be informed as to how the personal data will be processed and under what legal basis.