Data Protection and GDPR Level 3 for Managers and Business (VTQ)

64 videos, 2 hours and 55 minutes

Course Content

Lawful Basis

Video 59 of 64
6 min 21 sec
Want to watch this video? Sign up for the course or enter your email below to watch one free video.

Unlock This Video Now for FREE

This video is normally available to paying customers.
You may unlock this video for FREE. Enter your email address for instant access AND to receive ongoing updates and special discounts related to this topic.

Under GDPR you have to identify your Lawful Basis for processing data. You may find that you need to use a different Lawful Basis for different reasons or "processing activities". There are six lawful basis four of which are more likely to apply to businesses in general. 


  • gives real choice and control to the individual whose data your are processing.
  • They can withdraw consent at any time and if they do you cannot continue to process their data.  
  • You need to consider if you would be happy to delete ALL of the information you hold about this individual if they ask you to do so, when choosing this lawful basis. 


  • Can be relied upon when you need to process someone's data to fulfil a contract with the individual or to supply the individual with a quote for example.
  • When using this lawful basis you can only use (process) the data to fulfil the contract and for no other purposes.
  • If the contract involves processing personal data belonging to another individual for example where an employer purchases an online course for an employee, the contract is with the employer and another lawful basis such as legitimate interest may be more applicable.

Legal Obligation - can be relied upon if you have to process the personal data to comply with a common law or statutory obligation. (Not contractual obligations that are legally binding)

  • Legitimate Interest - this is the most flexible basis but not always the most appropriate, to use this lawful basis for processing you must make sure that your interests or the interests of any third party are not given more consideration than the individual and that the processing poses a minimal threat to their rights and freedoms. You should have a compelling reason to process their data.  A balancing test should be undertaken before selecting Legitimate Interest as your lawful basis for processing. 
  • Legitimate Interest can be a basis for providing existing customers with updates about services and goods that are related and that may be of interest to them but you must provide the opportunity for them to opt out from receiving notifications should they wish to.  This would not be appropriate for direct marketing and bombarding them to sell to them could be deemed to be putting your interests above theirs, this would not be legitimate so careful consideration when using this basis is extremely important.

Vital Interests - Likely if you need to process the personal data to protect someone's life.

Public Task - Relates to processing carried out in the exercise of official authority or to perform a specific task in the public interest that is set out in law.

If you assess your processing activities and they are not compatible with one of the lawful bases then it is deemed that you would be processing that data unlawfully.

You may identify one or more lawful basis for processing. For example it is possible to process personal data relating to goods or services using contract or legitimate interest (after balancing test)  as your lawful basis and to use consent as your lawful basis for marketing. In this situation should the data subject withdraw their consent you would cease marketing straight away but would be able to keep a record of the sale and accounting information that contains their personal data. 

Legitimate interests, it is in every business's interest to be able to keep in touch with their customers, but you need to make sure that your interests do not override the interests of the customer. In many cases, when you are buying something directly, an individual is buying something directly from you, you may think about using contract as a legal basis for supplying the goods, but maybe using legitimate interests to enable you to be able to continue to send that customer information about other goods and similar services that they may also be interested in.

There is a lot of information on the ICO website about appropriate lawful basis. They have an interactive tool on their website that can help you to identify the most appropriate Lawful Basis for your processing activities.

It is very important to take time to assess which Lawful Basis is suitable, you cannot change from one basis to another for the same processing activity.  If you ask an individual for consent to process their data for example using consent as your lawful basis and then change the lawful basis for processing their data to legitimate interest for example.  The reason for this is that the individual has been led to believe that they have control over their data and can withdraw consent if they want to, if you then change the lawful basis to one where their control is diminished you are not treating them fairly. 

On the ICO website, they say that you should make sure you pick the most appropriate and you stay with that. It does not mean that you cannot have an additional lawful basis for different types of processing. You cannot change from the one that is completely inappropriate to go with another.

Direct marketing is processing data, the most appropriate lawful basis for this processing is Consent.  When asking for consent you must provide clear and specific information and consent must be granular. For example if you ask if they are happy to receive newsletters and marketing emails this is not granular and they should be able to select one or the other.

If you are using consent and the individual withdraws their consent you must stop processing their data straight away. This means if consent was given to receive marketing emails, you must not send them anymore.

You must make it easy for individuals to unsubscribe and make sure that you don't contact them again. The easiest way to receive a complaint is to keep badgering someone who has already told you they do not want to hear from you anymore. So once someone unsubscribes, you need to have a way of recording that people are unsubscribing and to make sure that that is forwarded on to every different part of your business, so that nobody would get in touch with them again accidentally, because that is likely to set off a complaint. And that is the last thing that you want.

Have an unsubscribe link on all emails, clearly visible not hidden away at the bottom.  Giving people control over what information they receive and providing them with an easy way to unsubscribe builds confidence and trust which will provide a good relationship with your customers.  Emails should also contain a link to your privacy policy so individuals can easily find it and see how you will process their data.