GDPR: Lawful use of Data

What is legal?

You must have a valid lawful basis in order to process personal data.

There are six available lawful bases for processing. Which basis is most appropriate to use will depend on your purpose and relationship with the individual.

The lawful bases for processing are set out in Article 6 of the GDPR. At least one of the following must apply whenever you process personal data:

  • Consent: the individual has given clear consent for you to process their personal data for a specific purpose. Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build customer trust and engagement, and enhance your reputation.
  • Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
  • Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
  • Vital interests: the processing is necessary to protect someone’s life.
  • Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
  • Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.Legitimate interests can be the most flexible lawful basis for processing but you cannot assume it will always be the most appropriate. It is likely to be most appropriate where you use people’s data in ways they would reasonably expect, and which have a minimal privacy impact, or where there is a compelling justification for the processing.

If you choose to rely on legitimate interests, you are taking on extra responsibility for considering and protecting people’s rights and interests.

More detailed descriptions of each lawful basis can be found in the ICO’s GDPR Guide. 

 

Essentially, any data processing you perform must be necessary. If you can achieve the same outcome without the data, you won’t have lawful basis.

If you do have a lawful basis, make sure you document this before undertaking the processing. You should have your lawful basis detailed in your privacy notice.

 

Next up in our GDPR series, we’ll look at individuals rights. Once we’ve gone over the basics we’ll move into Part 2 of the series. This will include how GDPR applies to those in event management and Organisers using Helm Tickets.

POPULAR POSTS

NEW: Payout frequencies and on demand payouts

We’ve updated the way you receive your payouts on Helm Tickets! You now have more control over when you receive your funds and can select the payout frequency that best suits you. These new features allow you to access your funds when you need them. It’s completely up...

How to market your event on Twitter

Social media moves fast, but nowhere is it faster than on Twitter. If you’re promoting events on Twitter, it means your marketing strategy needs to evolve quickly too.

Twitter may be one of the most challenging networks for social media event marketing, but it’s also one of the most rewarding.

How to market your event on Facebook

Facebook isn’t just the world’s favourite social media platform, it’s also a powerful events hub. With 490 million people using Facebook events every month, it’s the discovery site many people turn to when they want to find out what’s going on in their area.

GET WEEKLY EMAIL UPDATES

CONNECT WITH US