The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

Documenting your lawful basis

You document and appropriately justify your organisation’s lawful basis for processing personal data in line with Article 6 of the GDPR (and Articles 9 and 10, if the processing involves special category or criminal offence data).

Ways to meet our expectations:

  • Your organisation selects the most appropriate lawful basis (or bases) for each activity following a review of the processing purposes.
  • You document the lawful basis (or bases) relied upon and the reasons why.
  • If your organisation processes special category or criminal offence data, you identify and document a lawful basis for general processing and an additional condition for processing this type of data (or in the case of criminal offence data, you identify the official authority to process).
  • In the case of special category or criminal offence data, you document consideration of the requirements of Article 9 or 10 of the GDPR and Schedule 1 of the DPA 2018 where relevant.
  • Where Schedule 1 requires it, you have an appropriate policy document including:
    • which Schedule 1 conditions you are relying upon;
    • what procedures you have in place to ensure compliance with the data protection principle;
    • how you will treat special category or criminal offence data for retention and erasure purposes;
    • a review date; and
    • details of an individual assigned responsibility for the processing.
  • You identify the lawful basis before starting any new processing.

Can you answer yes to the following questions?

  • Would customers agree that your privacy notice is easy to find, access and understand?