Professional Documents
Culture Documents
Contract: the processing is necessary for a contract you have with the individual, or because they have
asked you to take specific steps before entering into a contract
Legal obligation: the processing is necessary for you to comply with the law (not including contractual
obligations)
Public task: the processing is necessary for you to perform a task in the public interest or for your
official functions, and the task or function has a clear basis in law
Legitimate interests: the processing is necessary for your legitimate interests or the legitimate
interests of a third party unless there is a good reason to protect the individual’s personal data which
overrides those legitimate interests
If you are a public authority, you cannot rely on legitimate interests for
any processing you do to perform your tasks as a public authority
However, if you have other legitimate purposes outside the scope of
your tasks as a public authority, you can consider legitimate interests
where appropriate
Universities and museums are likely to be classified as public authorities, so the ‘public task’
basis is likely to apply to much of their processing
But where they are processing personal data separate from their tasks as a public authority,
then they may instead wish to consider whether either the lawful basis of consent or that of
legitimate interests is appropriate
These bases could apply, for example, where they are processing personal data for alumni
relations or for fundraising purposes
There are other lawful bases which could also be relevant. For more information see the lawful
basis section of our Guide to GDPR
You will need to provide the ICO with the contact details of your DPO when you pay
your fee
• Explicit consent
• Employment law
• Vital interests of anyone
• Not-for-profit TU/religious/ political/philosophical groups
• Already in public domain
• Legal proceedings/advice
• Substantial public interest
• Medical purposes
• Public Health
• Archiving in public interest, scientific/historical research purposes or statistical purposes
To process such data, you must have both a legal basis under
Article 6 and either legal authority or official authority for the
processing under Article 10
Restrict Data
Erasure
processing portability
Object ADM/Profiling
You must:
Where you refuse a request, you must explain why to the individual, informing them of their right to complain to the
ICO and to a judicial remedy without undue delay and at the latest within one month
The fee must be based on the administrative costs of providing the information
If a request is made electronically, you should provide the information in a commonly used electronic format
It would be considered best practice, where possible, to provide remote access to a secure self-service system which
would provide individuals with direct access to his or her information
Where you process a large quantity of information, the GDPR permits you to ask the individual to specify the
information that the request relates to
You must:
You must:
You must:
This right only applies if: This right does not apply when the data
processing is necessary for the
• The individual has provided you with their performance of a task carried out in
personal data the public interest or in the exercise of
• The data is processed by consent or a contract your official authority. However, it may
AND be good practice to provide for
• Processing is carried out by automated means portability regardless
You must:
You must identify whether any of your processing falls under Article 22 and, if so, make
sure that you:
• Give individuals information about the processing
• Introduce simple ways to request human intervention or
challenge a decision
• Carry out regular checks to make sure that your system
works as intended
The GDPR emphasises the need for transparency over how you use personal data. This can be achieved
by providing individuals with privacy information (typically through a privacy notice) such as how their
data will be processed, who it will be shared with and what their rights are with respect to it (Article 13
and 14)
If individuals know this information from the outset, they will be able to make informed decisions in
relation to their personal data
• Staff training
• Internal audits
• Pseudonymisation and encryption
• A process for regularly testing, assessing and evaluating measures
• Breach Management
/iconews http://ico.org.uk/livechat
@iconews