Lawful basis for processing personal data

1. Data protection legislation states that processing shall be lawful only if, and to the extent that at least one of the following applies. At least one lawful basis must be identified by the Association to enable the Association to lawfully process personal data.

Table A

Serial Lawful Basis for Processing Guidance
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes Members (data subjects) apply to the Association for membership services and freely provide their personal data in membership application forms. Where processing is based on consent, the Association must be able to demonstrate that the data subject has consented to processing of his or her personal data. The data subject shall have the right to withdraw his or her consent at any time.
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract Members pay a subscription to the Association in return for membership services. For this to happen, personal data is required to be captured and therefore this lawful basis would apply.
(c) processing is necessary for compliance with a legal obligation to which the controller is subject Personal data of employees of the Association is processed in line with employment law and requirements of HM Revenue & Customs (HMRC).
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person Where access to personal data held by the Association, is required in an emergency to protect the vital interests of an individual the release of that personal data would be lawful under this basis (e.g. a hospital contacts the Association to obtain contact details held due to an employee or member being in a critical condition and unable to give consent themselves for access to their data).
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller Most relevant to public authorities
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child Companies and organisations often need to process personal data in order to carry out tasks related to their business activities – this is referred to as their ‘legitimate interests’. The Association offers services to individuals who wish to apply for membership, therefore personal data is required in order to process those membership application forms and to provide members with information on events and services. This is the ‘legitimate’ interests of the Association.

  

Special category data

2. Special category data is data that relates to:

(a) race

(b) ethnic origin

(c) politics

(d) religion

(e) trade union membership

(f) genetics

(g) biometrics (where used for ID purposes)

(h) health

(i) sex life

(j) sexual orientation

3. To lawfully process personal data that falls into the category of special category data the Association must be able to demonstrate that it meets at least one of the lawful basis for processing as shown in Table B below, in addition to choosing at least one of the lawful basis for processing shown in Table A above.

Table B

Serial Lawful Basis for Processing Guidance
(a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes As described in Table A.
(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law Relevant to the processing of employee data by the Association.
(c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent As described in Table A section (d).
(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects The Association processes personal data under a charity status, only processes data in relation to members and former members and does not disclose without the consent of the members.
(e) processing relates to personal data which are manifestly made public by the data subject Where personal data is already made public the Association would be able to process that personal data legitimately.
(f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity Commonly used by authorities and legal firms.
(g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law There may be circumstances where the Association is required to release personal data to authorities.
(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services Relevant to healthcare providers or where companies carry out occupational health checks.

Return to Table of Contents

Print This Page Print This Page
(Version 2018.1 updated June 2018)