Skip to main content
Home

Lawful basis interactive guidance tool

Q1. Do you have (or intend to have) a contract with the individual?
More information

Answer 'yes' if you have a contract with the individual, or the individual has asked you to do something as a first step prior to entering into a contract (eg provide a quote).

Answer 'no' if the contract/intended contract is with one person but you need to process someone else's details.

In this context, a contract does not have to be a formal signed document, or even written down, as long as there is an agreement which meets the requirements of contract law. Broadly speaking, this means that the terms have been offered and accepted, you both intend them to be legally binding, and there is an element of exchange (usually an exchange of goods or services for money, but this can be anything of value). However, this is not a full explanation of contract law, and if in doubt you should seek your own legal advice.

If you are processing data of a child under 18, you need to be clear that the child is a party to the contract and not just their parent, and that they have the necessary competence to enter into the contract. If in doubt, seek legal advice.

Q2. Are you processing the data so that you can perform the contract or carry out a pre-contractual request from the individual?
More information

Answer 'yes' if:

  • you need to process their personal data to comply with your obligations under the contract, or to process payment details.
  • you haven’t yet got a contract with the individual, but they have asked you to do something as a first step (eg provide a quote) and you need to process their personal data to do what they ask.

Answer 'no' if you are taking pre-contractual steps on your own initiative, or at the request of a third party.

Answer 'no' if you are using customer data for broader business purposes, rather than specifically to deliver the contractual service - even if the reuse of data is mentioned in your terms and conditions.

Q3. Could you reasonably perform the contractual service (or take the requested first step) without this processing?
More information

Processing must be 'necessary' for performance of the contract. Even if the processing is part of your terms and conditions, this doesn't automatically mean it is 'necessary'. Necessary means the processing is a targeted and proportionate way of performing the contract. This basis will not apply if there is another reasonable and less invasive way to provide the contractual services or take the steps requested.

Answer 'no' only if the processing is necessary to deliver the contractual service to this person. If the processing is necessary to maintain your business model more generally, this lawful basis will not apply and you should consider another lawful basis, such as legitimate interests.