Legal Grounds for Data Processing

All processing of personal data must comply with all six general data quality principles, found in Art. 5 (1) of the GDPR. Personal data must be:

  1. processed fairly and lawfully;
  2. collected for specific, explicit and legitimate purposes and not processed in a manner incompatible with those purposes;
  3. adequate, relevant and not excessive;
  4. accurate and, where necessary, up to date;
  5. kept in an identifiable form for no longer than necessary; and
  6. kept secure.


Please visit:

To processing personal data, you must also have a lawful basis under the GDPR’ Article 6(1), namely the processing should be:

  1. carried out with the data subject’s consent;
  2. necessary for the performance of a contract with the data subject;
  3. necessary for compliance with a legal obligation;
  4. necessary in order to protect the vital interests of the data subject;
  5. necessary for the public interest or in the exercise of official authority; or
  6. necessary for the controller’s or recipient’s legitimate interests, except where overridden by the interests of the data subject.


Please visit:

In point e), ‘public interest’ defined by the Data Protection Act 2018 includes processing of personal data that is necessary for:

  1. the administration of justice,
  2. the exercise of a function of either House of Parliament,
  3. the exercise of a function conferred on a person by an enactment or rule of law,
  4. the exercise of a function of the Crown, a Minister of the Crown or a government department, or
  5. an activity that supports or promotes democratic engagement.


Please visit: