You document and appropriately justify your organisation’s lawful basis for processing personal data in line with Article 6 of the GDPR (and Articles 9 and 10, if the processing involves special category or criminal offence data).
Ways to meet our expectations:
- Your organisation selects the most appropriate lawful basis (or bases) for each activity following a review of the processing purposes.
- You document the lawful basis (or bases) relied upon and the reasons why.
- If your organisation processes special category or criminal offence data, you identify and document a lawful basis for general processing and an additional condition for processing this type of data (or in the case of criminal offence data, you identify the official authority to process).
- In the case of special category or criminal offence data, you document consideration of the requirements of Article 9 or 10 of the GDPR and Schedule 1 of the DPA 2018 where relevant.
- Where Schedule 1 requires it, you have an appropriate policy document including:
- which Schedule 1 conditions you are relying upon;
- what procedures you have in place to ensure compliance with the data protection principle;
- how you will treat special category or criminal offence data for retention and erasure purposes;
- a review date; and
- details of an individual assigned responsibility for the processing.
- You identify the lawful basis before starting any new processing.
Can you answer yes to the following questions?
- Would customers agree that your privacy notice is easy to find, access and understand?