UK GDPR Lawful Basis Reference
When It Applies | Example Activities | Rights Implication | Record Keeping Notes | Drafting Cautions |
|---|---|---|---|---|
Consent | ||||
When a person freely gives a specific, informed and unambiguous opt-in for marketing emails. | Newsletter sign-ups, promotional emails, event updates, downloadable guide follow-ups. | Individuals can withdraw consent | Record consent wording, timestamp, method, source form and withdrawal history. | Do not bundle marketing consent with terms or pre-tick boxes. |
When placing analytics, advertising or similar non-essential cookies on a user device. | Advertising cookies, social media pixels, heatmaps, analytics cookies not strictly necessary. | Individuals can withdraw consent | Keep cookie banner version, consent status, device identifier and change logs. | Separate cookie consent from privacy policy acknowledgement allow refusal and withdrawal. |
When explicit consent is used for sensitive data and no stronger condition is appropriate. | Optional health information, dietary requirements revealing religion, accessibility preferences, diversity surveys. | Individuals can withdraw consent | Keep explicit consent statement, Article 9 condition and withdrawal process records. | Say why sensitive data is needed and avoid vague blanket consent wording. |
When customers voluntarily permit use of identifiable testimonials, images or case studies. | Publishing testimonials, photos, video clips, named case studies, website reviews. | Individuals can withdraw consent | Record approved content, permitted channels, duration and withdrawal handling. | Do not imply permanent use if withdrawal or takedown is offered. |
Contract | ||||
When processing is necessary to create or manage an account requested by the user. | Registering accounts, login management, password resets, customer profile administration. | Depends on context | Keep terms, account request, identity fields needed and service necessity rationale. | Use only for processing genuinely necessary to provide the account service. |
When personal data is needed to sell, deliver or support goods or services. | Order processing, payment coordination, delivery, refunds, service messages. | Depends on context | Keep order record, contract terms, fulfilment logs and payment processor records. | Do not treat optional marketing or profiling as necessary for the contract. |
When a person asks for a quote, proposal or pre-contract information. | Quotes, demos, appointment booking, eligibility checks requested by the individual. | Depends on context | Keep enquiry, requested action, quote history and follow-up necessity evidence. | Limit this basis to steps requested before a contract is entered. |
When processing is needed to provide a paid or free subscribed service. | Subscription activation, billing, renewals, usage limits, service notices. | Depends on context | Keep subscription terms, plan selection, renewal dates and cancellation records. | Separate contractual service messages from optional promotional messages. |
When employee data is necessary to perform the employment contract. | Payroll administration, benefits, leave management, work scheduling, HR records. | Depends on context | Keep employment contract, HR policies, payroll instructions and necessity rationale. | Do not use contract for every HR purpose some are legal obligation or legitimate interests. |
Legal obligation | ||||
When processing is necessary to meet UK tax, VAT, accounting or audit duties. | Invoices, VAT records, company accounts, expense records, audit trails. | Limited right to object | Record applicable law, retention period, invoices and statutory accounting files. | Identify the legal duty in plain terms avoid saying consent is needed. |
When employers must check a worker has the right to work in the UK. | Identity document checks, immigration status checks, share code verification. | Limited right to object | Keep check date, evidence copy or online check result and retention schedule. | Explain immigration compliance without overstating ongoing monitoring. |
When payroll data is needed to operate PAYE and report to HMRC. | PAYE reports, tax codes, National Insurance, payroll deductions, year-end submissions. | Limited right to object | Keep payroll records, HMRC submissions, tax code notices and deduction evidence. | Separate statutory payroll processing from optional employee benefits processing. |
When processing is needed to comply with workplace health and safety duties. | Accident logs, incident reports, risk assessments, safety training records. | Limited right to object | Keep incident forms, reporting decisions, statutory basis and retention rationale. | If health data is included, also state the relevant special category condition. |
When regulated firms must perform customer due diligence and AML checks. | Identity verification, beneficial ownership checks, sanctions screening, transaction monitoring. | Limited right to object | Keep due diligence files, risk assessments, screening results and legal retention period. | Avoid disclosing details that could prejudice suspicious activity reporting. |
When companies must keep and file statutory company information. | Director details, PSC information, confirmation statements, statutory registers. | Limited right to object | Keep statutory registers, Companies House filings and filing dates. | Explain that some information may appear on the public register. |
When processing is needed to comply with UK GDPR accountability duties. | Responding to rights requests, breach logs, consent withdrawal records, RoPA. | Limited right to object | Keep request logs, decision records, Article 30 records and breach assessments. | Do not delete compliance evidence merely because an erasure request is made. |
Vital interests | ||||
When processing is necessary to protect someoneu2019s life in an emergency. | Sharing allergy details with paramedics, emergency contact use, urgent medical alerts. | Depends on context | Record emergency facts, recipient, timing, necessity and any follow-up review. | Use narrowly not for routine health, safety or welfare processing. |
When data sharing is needed to protect life during a major incident. | Evacuation lists, emergency shelter coordination, missing person information, urgent welfare checks. | Depends on context | Keep incident log, sharing recipients, reasons and proportionality review. | Avoid using vital interests where another basis is clearly available in advance. |
When urgent disclosure is needed to prevent serious, imminent harm or death. | Urgent safeguarding referral, suicide risk escalation, emergency police or ambulance contact. | Depends on context | Record risk indicators, decision-maker, disclosure details and emergency justification. | Do not present routine safeguarding administration as vital interests. |
Public task | ||||
When a public authority processes data to perform a statutory public function. | Council tax, housing services, planning applications, benefits administration. | Individuals may object | Record statutory power, public function, purpose and necessity assessment. | Name the function or enabling law do not rely on public task for purely commercial activities. |
When a public body processes data for public health functions or services. | Disease surveillance, immunisation programmes, NHS service planning, public health reporting. | Individuals may object | Keep public function basis, data sharing agreements and special category condition. | Explain health data safeguards and distinguish care provision from public health monitoring. |
When a competent public body performs non-law-enforcement public functions under UK GDPR. | Licensing decisions, regulatory inspections, statutory notices, enforcement administration. | Individuals may object | Record enabling power, decision file, necessity and retention rules. | Check whether Part 3 Data Protection Act 2018 applies instead for law enforcement processing. |
When a public education provider processes data for statutory education functions. | Admissions, attendance, safeguarding records, examinations, statutory school returns. | Individuals may object | Keep statutory function, pupil record policy, safeguarding basis and retention schedule. | Do not use consent for core school functions where there is no genuine choice. |
Legitimate interests | ||||
When fraud prevention is necessary and not overridden by individual rights. | Fraud checks, suspicious order review, abuse prevention, chargeback evidence. | Individuals may object | Keep legitimate interests assessment, risk indicators, balancing test and safeguards. | Describe fraud purposes clearly without revealing controls that enable evasion. |
When security processing is necessary to protect systems, users and services. | Security logs, access monitoring, malware detection, intrusion prevention, backups. | Individuals may object | Keep LIA, security policy, retention periods and access controls evidence. | Avoid excessive monitoring claims explain proportionate security logging. |
When proportionate postal marketing is sent and people can opt out. | Postal offers, customer mailshots, business development letters, charity appeals. | Individuals may object | Keep LIA, suppression list, source records and opt-out history. | Make opt-out simple and do not ignore marketing suppression requests. |
When existing customer email marketing may use PECR soft opt-in rules. | Similar product emails to customers, renewal offers, service upgrade promotions. | Individuals may object | Keep customer relationship evidence, opt-out notices, suppression list and LIA. | Do not confuse UK GDPR basis with PECR consent rules for electronic marketing. |
When limited analysis is needed to improve services and users would reasonably expect it. | Feature usage analysis, error trends, service performance metrics, customer feedback review. | Individuals may object | Keep LIA, minimisation steps, aggregation approach and retention limits. | Avoid presenting intrusive tracking as simple service improvement. |
When support records are used to manage queries and improve response quality. | Support tickets, call notes, complaint trends, quality review, staff coaching. | Individuals may object | Keep LIA, call recording notices, retention schedule and access restrictions. | State if calls are recorded and avoid indefinite support history retention. |
When processing is necessary to recover unpaid sums or manage overdue accounts. | Payment reminders, debt collection referrals, credit control notes, dispute evidence. | Individuals may object | Keep LIA, contract debt evidence, communications log and collector instructions. | Mention possible sharing with debt recovery agents where applicable. |
When processing is needed to obtain advice or establish, exercise or defend claims. | Dispute files, solicitor correspondence, evidence bundles, litigation holds, settlement records. | Individuals may object | Keep LIA, claim basis, privilege markings, limitation period and disclosure log. | If special category data is used, add the legal claims Article 9 condition where relevant. |
When using work contact details for proportionate business relationship management. | Supplier contacts, client relationship management, procurement emails, professional networking. | Individuals may object | Keep LIA, contact source, role relevance and objection records. | Do not assume all B2B marketing is exempt from privacy rules. |
When limited data is needed for a merger, acquisition, investment or restructuring. | Due diligence, investor reporting, asset sale planning, business transfer records. | Individuals may object | Keep LIA, NDA, data room access logs, minimisation review and transfer records. | Disclose potential business transfer sharing without over-broad sale-of-data wording. |
When CCTV is necessary for private premises security and proportionate to risks. | Premises CCTV, access control footage, incident investigation, theft prevention. | Individuals may object | Keep LIA, signage, camera map, retention period and access logs. | Include CCTV notices and avoid covert recording unless exceptional and justified. |
When proportionate employee monitoring is necessary for security, compliance or productivity risks. | System access logs, device monitoring, email metadata, timesheet checks, policy compliance reviews. | Individuals may object | Keep LIA, DPIA where needed, monitoring policy and staff notices. | Avoid hidden monitoring wording be specific about nature and purpose. |
When processing applicant data to assess suitability and manage recruitment. | CV screening, interview notes, reference coordination, recruitment panel scoring. | Individuals may object | Keep LIA, applicant notices, scoring criteria, retention period and rejection records. | Do not retain unsuccessful applicants indefinitely or use data for unrelated purposes. |
How Should A UK Privacy Policy Explain Lawful Basis?
A UK privacy policy should identify the specific UK GDPR lawful basis for each main purpose of processing, not just list all six bases. The most useful drafting links each purpose, such as account management, marketing, fraud prevention or legal compliance, to the basis actually relied on.
When Is Consent The Right Basis Under UK GDPR?
Consent is most suitable where individuals have a genuine choice, such as optional email marketing, non-essential cookies or use of special category data where explicit consent is needed. It should not usually be used where the organisation will process the data anyway, because individuals must be able to withdraw consent.
When Can Legitimate Interests Be Used In A Privacy Policy?
Legitimate interests is commonly used by UK organisations for fraud prevention, network security, direct marketing to existing customers, business administration and service improvement. It requires a documented balancing assessment and individuals usually have a right to object.
What Records Should UK Organisations Keep For Lawful Basis Decisions?
- Consent: keep who consented, when, how, what they were told and any withdrawal.
- Contract: keep the contract, terms, onboarding records and evidence that processing is necessary for the requested service.
- Legal obligation: keep the specific UK legal requirement, retention rationale and compliance records.
- Public task: keep the statutory power or public function being exercised.
- Legitimate interests: keep the legitimate interests assessment, including purpose, necessity and balancing test.
Why Does The Lawful Basis Affect User Rights?
The lawful basis changes how rights work. Consent can be withdrawn, legitimate interests and public task usually allow objection, and contract or legal obligation may leave only a limited right to object. Privacy policy wording should therefore avoid promising rights that do not apply in every case.

FAQs
You Might Also Be Interested In

