Awdurdod annibynnol y Deyrnas Unedig a sefydlwyd i gynnal hawliau gwybodaeth er budd y cyhoedd, annog cyrff cyhoeddus i fod yn agored a hybu preifatrwydd data i unigolion.

Documenting your lawful basis

You document and appropriately justify your organisation’s lawful basis for processing personal data in line with Article 6 of the UK GDPR (and Articles 9 and 10, if the processing involves special category or criminal offence data).

Ways to meet our expectations:

  • Your organisation selects the most appropriate lawful basis (or bases) for each activity following a review of the processing purposes.
  • You document the lawful basis (or bases) relied upon and the reasons why.
  • If your organisation processes special category or criminal offence data, you identify and document a lawful basis for general processing and an additional condition for processing this type of data (or in the case of criminal offence data, you identify the official authority to process).
  • In the case of special category or criminal offence data, you document consideration of the requirements of Article 9 or 10 of the UK GDPR and Schedule 1 of the DPA 2018 where relevant.
  • Where Schedule 1 requires it, you have an appropriate policy document including:
    • which Schedule 1 conditions you are relying upon;
    • what procedures you have in place to ensure compliance with the data protection principle;
    • how you will treat special category or criminal offence data for retention and erasure purposes;
    • a review date; and
    • details of an individual assigned responsibility for the processing.
  • You identify the lawful basis before starting any new processing.

Can you answer yes to the following questions?

  • Would customers agree that your privacy notice is easy to find, access and understand?