We use cookies to ensure that we give you the best experience on our website. You can change your cookie settings at any time. Otherwise, we'll assume you're OK to continue.

Durham University

Information Governance

Lawful Bases

The General Data Protection Regulation (GDPR) requires that a data controller establishes a lawful basis for each and every personal data processing activity it performs directly, or indirectly via any data processors.

There are six lawful bases available and each requires that processing is 'necessary'. If the same outcome can be achieved without processing the personal data then to process it would be unlawful. The lawful bases are:

The processing of special category data (sensitive personal data) or personal data relating to a criminal conviction or offence requires both a lawful basis for general processing and an additional condition.