Under the GDPR, a lawful basis (previously known as a 'condition for processing') will need to be identified and documented before personal data is processed. This is especially important as the lawful basis chosen will have a strong effect on an individual's rights e.g. where the University relies on consent to process data, an individual will have additional rights. For further information see here.
For most activities, it will be relatively straightforward to identify the appropriate lawful basis (options below). In an effort to assist, the Information Commissioner's Office has produced a lawful basis interactive guidance tool available here.
If you are unsure what ground to rely on, contact the Information Governance Officer for further information dataprotection@york.ac.uk.
Lawful basis for processing personal data
6 (1) (a) - Consent of the data subject |
6 (1) (b) - Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract |
6 (1) (c) - Processing is necessary for compliance with a legal obligation |
6 (1) (d) - Processing is necessary to protect the vital interests of a data subject or another person |
6 (1) (e) - Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller |
6 (1) (f) - Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject |
Note: Legitimate interests (6 (1) (f)) cannot be used by the University in relation to processing that falls within our public task (6 (1) (e) would be a possible alternative). For non-public task processing, legitimate interests remain an option. Before relying on this ground, seek the views of the Information Governance Officer.
Condition for processing special categories of data
In order to process special category data, you will need to identify a lawful basis (from Article 6) and a condition for processing special category data under Article 9.
9 (2) (a) - Explicit consent of the data subject, unless reliance on consent is prohibited by EU or Member State law |
9 (2) (b) - Processing is necessary for carrying out obligations under employment, social security or social protection law, or a collective agreement |
9 (2) (c) - Processing is necessary to protect the vital interests of a data subject or another individual where the data subject is physically or legally incapable of giving consent |
9 (2) (d) - Processing carried out by a not-for-profit body with a political, philosophical, religious or trade union aim provided the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes) and provided there is no disclosure to a third party without consent |
9 (2) (e) - Processing relates to personal data manifestly made public by the data subject |
9 (2) (f) - Processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in their judicial capacity |
9 (2) (g) Processing is necessary for reasons of substantial public interest on the basis of Union or Member State law which is proportionate to the aim pursued and which contains appropriate safeguards |
9 (2) (h) Processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional |
9 (2) (i) Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of healthcare and of medicinal products or medical devices |
9 (2) (j) Processing is necessary for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes in accordance with Article 89 (1) |