All processing of personal data must comply with all six general data quality principles, found in Art. 5 (1) of the GDPR. Personal data must be:
- processed fairly and lawfully;
- collected for specific, explicit and legitimate purposes and not processed in a manner incompatible with those purposes;
- adequate, relevant and not excessive;
- accurate and, where necessary, up to date;
- kept in an identifiable form for no longer than necessary; and
- kept secure.
Please visit: https://gdpr-info.eu/art-5-gdpr/
To processing personal data, you must also have a lawful basis under the GDPR’ Article 6(1), namely the processing should be:
- carried out with the data subject’s consent;
- necessary for the performance of a contract with the data subject;
- necessary for compliance with a legal obligation;
- necessary in order to protect the vital interests of the data subject;
- necessary for the public interest or in the exercise of official authority; or
- necessary for the controller’s or recipient’s legitimate interests, except where overridden by the interests of the data subject.
Please visit: https://gdpr-info.eu/art-6-gdpr/
In point e), ‘public interest’ defined by the Data Protection Act 2018 includes processing of personal data that is necessary for:
- the administration of justice,
- the exercise of a function of either House of Parliament,
- the exercise of a function conferred on a person by an enactment or rule of law,
- the exercise of a function of the Crown, a Minister of the Crown or a government department, or
- an activity that supports or promotes democratic engagement.