37
DAYS LEFT

New registration requirements

If you use personal data in your work you are legally obliged to register here during 1 Jan - 28 Feb.
More details at odpa.gg/2021.

Lawful processing conditions for personal data

Before you start to collect or use people's data, you need to identify and document a 'lawful processing condition' (or 'lawful basis') that you can rely on. Doing this is part of your obligation under the 'lawfulness, fairness & transparency' principle. 

There is a common misconception that you need people's consent before you can do anything with their data - as you will see from the list below consent is just one of conditions that you may be able to rely on. 

Section 7 of the Law sets out the requirements for processing to be lawful. It refers to Schedule 2 of the Law and the conditions for processing within that Schedule.

Do not start processing any personal data unless you have clearly established and documented details of the relevant condition/s.

The majority of conditions require that ‘the processing is necessary’ in order to be able to rely upon them. This means that if you could reasonably achieve the same purpose without the processing you cannot rely upon that condition.

There is a separate set of conditions for when you are processing special category data (i.e. racial or ethnic origin; political opinion; religious or philosophical belief; trade union membership; genetic data; biometric data; health data; sex life; criminal data) 

For personal data not considered to be special category data, you must satisfy at least one of the conditions below:

 

  • The data subject has requested or given consent to the processing of the personal data for the purpose for which it is processed. 

  • The processing is necessary for the performance of a contract to which the data subject is a party or that is in the interests of the data subject

  • The processing is necessary to protect the vital interests of the data subject or other individual

  • The processing is necessary for the exercise or performance of a public function or task carried out in the public interest by a public authority

  • The processing is necessary for the purposes of legitimate interests (not applicable for public authorities)

  • The processing is necessary for the exercise of a right, power or duty imposed by law.

  • The information contained in the personal data has been deliberately made public by the data subject.

  • The processing is necessary for the exercise of a right or power imposed by enactment.

  • The processing is necessary in order to comply with a court order or judgement.

  • The processing is necessary for a health or social care purpose. Includes the purpose of preventative or occupational medicine, the assessment of the working capacity of an employee or worker, medical diagnosis, the provision of medical, health or social care or treatment, or the management of medical, health or social care systems and services.

  • The processing is necessary for reasons of public health.

  • The processing is necessary for the purpose of, or in connection with legal proceedings (including prospective legal proceedings), discharging any court or tribunal functions, obtaining legal advice or otherwise for the purposes of establishing, exercising or defending legal rights.

  • The processing is necessary for the administration of justice or the exercise of any function of the Crown, a Law Officer of the Crown, the States or a public committee.

  • The processing is necessary for a law enforcement purpose.

  • The processing is in the context of not-for-profit organisations that exist for political, philosophical, religious or trade-union purposes.

  • The processing is necessary for historical or scientific purposes. 

  • The processing is necessary for the purposes of equal opportunity.

  • The processing is authorised by regulation or other enactment (see 'special authorisations' document).