PruAdviser on-line services will be unavailable from 18:00 on Saturday 14 December until 12:30 on Sunday 15 December for website maintenance.
You’ll soon see improvements to Retirement Account online services. Look out for more details coming soon.

What legal grounds do you have?

Author Image Nick Hunt Technical Manager, Specialist Business Support
3 minutes read
Last updated on 23rd May 2018

Overview

To hold and process personal data, you need to have and document at least two lawful grounds for doing so. Find out what the lawful reasons for holding personal data might be.

Legal Grounds

Doing anything with your clients’ personal data which is non sensitive will rely on you having the ‘legal grounds’ to do so. Below are the six allowable legal grounds to consider. No single basis is more important than another:

  • Necessary for the controller’s legitimate interests – If it’s necessary to use personal information for business purposes

  • Consent – this has to be given freely (you can’t insist upon it in exchange for a service); it has to be specific to how the data is used ; unambiguous (there’s no doubt that consent has been given); and informed (they need to know how you plan to use it before consent can count)

  • Necessary to perform a contract – if you’ve been asked to do something and the use of their personal data is necessary

  • Necessary to compliance of a legal function -  if you’re legally required to do something and need the personal data to do it

  • Necessary to protect vital interests – if it’s in your client’s best interests, such as a medical emergency

  • Necessary to perform a task in the public interest – this could be sharing information with police, security services, etc.

If satisfied that you meet the requirements of legal grounds, you’ll need to document it and take care to get it right first time around (you won’t be able to swap these around at a later stage without good reason). If the purpose changes, you may continue to process the data under the initial lawful basis, provided the new purpose is compatible with the initial purpose.

If you use any form of e-marketing, it’s worth knowing that similar rules apply under the Privacy and Electronic Communications Regulations (PECR). PECR is intended to restrict unsolicited marketing by phone, fax, email, text, or other electronic message.

There are different rules for different types of communication. For example, you’ll need specific consent to send unsolicited direct marketing. The best way to obtain valid consent is to ask customers to tick opt-in boxes confirming they are happy to receive marketing calls, texts or emails from you.

For more information about PECR go to http://www.ico.org.uk/for-organisations/guide-to-pecr/

Special Categories of Personal Data

If processing someone’s personal data which is of a more sensitive nature (commonly referred to as Special Categories of Personal Data), you also need to satisfy one of the following grounds:

  • Explicit consent

  • Necessary for employment law

  • Necessary to protect the subject’s vital interests

  • Legitimate activity of a non-profit organisation or trade union

  • Data is already made public by the data subject

  • Necessary to defend or establish a legal claim

  • Substantial public interest

  • Necessary for preventative or occupational medicine

  • Necessary for public interest in public health

  • Necessary for archiving in the public interest

Examples of Special Categories of Personal Data include:

  • Racial or ethnic origin

  • Political opinion

  • Religious or philosophical beliefs

  • Trade union membership

  • Data concerning health and sexual orientation

  • Genetic data

  • Biometric data for unique ID purposes, such as finger prints etc.

The details of the legal grounds must be captured within your Data Privacy Policy and used to notify your clients about how you use their data. For more on Data Privacy Policy read ‘Data Policy and Notices’.  

Labelled Under:
Government Regulation GDPR

© Prudential 2019