Processing Personal Data Lawfully

Under UK GDPR, we must have a lawful basis for processing personal data

What is a lawful basis?

The UK GDPR provides a list of reasons that organisations can use to legitimately process personal data. These are known collectively as the Lawful Bases for Processing.

What are the lawful bases for processing data under UK GDPR?

Please see the full list of lawful bases below:

(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose. (Example: Consenting to receiving further email marketing from the Party through a survey)

(b) Contract: Processing the personal data is necessary for the purpose of fulfilling a contract you have with an individual. (Example: Processing personal data as part of an Employment contract or Party Membership)

(c) Legal obligation: It is necessary to process the data to comply with the law. (Example: Permisibility checks on donations received by the Party)

(d) Vital interests: Processing the personal data is necessary to protect someone’s life. (Example: Police or Healthcare organisations)

(e) Public task: the processing is necessary for you to perform a task in the public interest. (Example: Use of the Electroal Register)

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (Example: Contacting voters / members / supporters outside of an election period to engage with our campaigns and activities)

It is a common myth that under UK GDPR it is only possible to process personal data if you have consent from the individual first. In reality, if any of the lawful bases (b) – (f) are applicable, consent is not required.

What about special category data?

The UK GDPR has classified some types of personal data as being more sensitive than others. These types of personal data are known as special category data. The following data is considered to be special category data under UK GDPR:

• personal data revealing racial or ethnic origin;
• personal data revealing political opinions;
• personal data revealing religious or philosophical beliefs;
• personal data revealing trade union membership;
• genetic data;
• biometric data (where used for identification purposes);
• data concerning health;
• data concerning a person’s sex life; and
• data concerning a person’s sexual orientation.

We cannot process any of the categories of personal data above unless we have both a lawful basis for processing the personal data from the list above AND something called a Condition for Processing.  Conditions for processing are essentially another list of reasons that the personal data can be processed. The full list of conditions for processing is as follows:

(a) Explicit consent
(b) Employment, social security and social protection (if authorised by law)
(c) Vital interests
(d) Not-for-profit bodies
(e) Made public by the data subject
(f) Legal claims or judicial acts
(g) Reasons of substantial public interest (with a basis in law)
(h) Health or social care (with a basis in law)
(i) Public health (with a basis in law)
(j) Archiving, research and statistics (with a basis in law)

So, to recap:

• If it's personal data, you need a Legal Basis to process it
• If it's Special Category Data (i.e. sensitive categories of data outlined in the list above), you need a Legal Basis AND a Condition for Processing to do so

What lawful bases do the Liberal Democrats use to process personal data?

Our types of processing activities and the lawful basis we use for each one, can be found in the main Privacy Policy here.

What should I do if someone asks me about our lawful basis for processing personal data?

As a first step you can direct them to the privacy policy (available here). The privacy policy includes our lawful basis for processing as described above. If the individual is not satisfied, please redirect the query to: data.protection@libdems.org.uk.