For processing of personal data to be lawful, all staff, students and others who process personal data must identify specific grounds for the processing. This is called a lawful basis and there are six options under Article 6 of the GDPR which depend on the purpose of the processing and the relationship with the data subject.
If special categories of personal data are being processed, this is more sensitive and requires more protection. Both a lawful basis for general processing (under Article 6 of the GDPR) and an additional condition for processing (under Article 9 of the GDPR) is required.
A lawful basis must be established before processing begins and should be documented. If no lawful basis applies then the processing will be unlawful and in breach of the GDPR principles.
- Consent - the individual has given clear consent to process their data for a specific purpose
- Contract - the processing is necessary for a contract you have with the individual or because they have asked you to take specific steps before entering into a contract.
- Legal Obligation - the processing is necessary to comply with the law (not including contractual obligations)
- Vital interests - the processing is necessary to protect someone's life
- Public task - the processing is necessary to perform a task in the public interest or for official functions and the task or function has a clear basis in law
- Legitimate interests - the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual's personal data which overrides those legitimate interests. This cannot apply if you are a public authority processing data to perform your official tasks.
At least one of these lawful bases must apply whenever personal data is being processed.