Step 2: Legal basis

How to identify the legal basis in a privacy notice

Whenever we use personal data we must have a legal basis for doing so. Data protection law gives us a list of possible legal bases we can choose from:

  • consent
  • necessary for a contract/legal obligation
  • necessary for the performance of public tasks/core functions
  • and necessary for a legitimate interest.

For the special categories of personal data, the relevant legal bases are

  • explicit consent
  • necessary for purposes of employment or social security law
  • religious, philosophical or political charity or trade union purposes
  • necessary for medical purposes
  • necessary for archiving or statistics and research.

Your privacy notice must tell data subjects the ‘legal basis’ you are using to process personal data about them. Use the guidance on identifying the legal basis for your use of personal data to complete this section of your privacy notice. You will need to record how you have reached the decision which legal basis is applicable (except for consent) in the appropriate form. If you rely on ‘legitimate interest’ as your legal basis, you will need to insert what the University’s legitimate interest is.

Determining the legal basis for your use of personal data


Legal basis: consent

“We are using information about you because you have given us your consent”

Legal basis: public tasks/core functions

We are using information about you because marking exams is part of the core functions of a university.