United Kingdom — Lawful Bases for Processing

The UK GDPR retained Article 6 of the EU GDPR with modifications following Brexit on 31 December 2020. Every controller processing personal data in the UK must identify at least one lawful basis under Article 6(1) before beginning the processing; failure to do so renders the processing unlawful and triggers individual rights to erasure.

The six original lawful bases

Article 6(1) UK GDPR sets out six lawful bases for processing personal data:

(a) Consent — the data subject has given consent to the processing for one or more specific purposes.

(b) Contract — processing is necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract.

(c) Legal obligation — processing is necessary for compliance with a legal obligation to which the controller is subject. Article 6(3) requires that this legal obligation be laid down by domestic law; the ICO confirms this includes statutory obligations, regulatory requirements with a statutory underpinning, and certain common-law obligations where the application of the law is clear and foreseeable.

(d) Vital interests — processing is necessary to protect the vital interests of the data subject or another natural person. The ICO interprets this narrowly: it applies to matters of life and death (typically emergency medical care where the data subject is unconscious or otherwise incapable of giving consent) and cannot be relied upon for special-category health data if the individual is capable of giving consent, even if they refuse.

(e) Public task — processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Article 6(3) requires that the basis for such processing be laid down by domestic law or (as of 20 August 2025, per the Data (Use and Access) Act 2025) relevant international law. Section 8 of the Data Protection Act 2018 specifies that public-task processing includes the administration of justice, functions of either House of Parliament, functions conferred by enactment or rule of law, functions of the Crown, Ministers or government departments, and activities that support or promote democratic engagement.

(f) Legitimate interests — processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. This basis requires a balancing test (a Legitimate Interests Assessment or LIA). Article 6(1)(f) includes statutory examples: direct marketing, intra-group transmission for internal administrative purposes, and network and information systems security. Legitimate interests is not available to public authorities performing public tasks.

The seventh basis: recognised legitimate interests (Article 6(1)(ea))

The Data (Use and Access) Act 2025, which received Royal Assent in June 2025 and commenced in phases, inserted a new Article 6(1)(ea): processing is necessary for the purposes of a recognised legitimate interest. This new basis permits processing for certain enumerated purposes without the balancing test otherwise required for legitimate interests under Article 6(1)(f). The recognised interests are set out in new Annex 1 to the UK GDPR and include crime prevention, safeguarding vulnerable individuals, responding to emergencies, safeguarding national security, and disclosing personal data to public authorities making public-task requests. The Secretary of State may amend Annex 1 by regulations subject to the affirmative resolution procedure.

"Necessary" as the binding necessity test

Most of the lawful bases turn on whether processing is "necessary." The ICO interprets this as more than merely useful or standard practice: processing must be a targeted and proportionate means of achieving the stated purpose. A lawful basis will not apply if the purpose can reasonably be achieved by some other less intrusive means or by processing less personal data.

No hierarchy among the bases

The ICO emphasises that there is no hierarchy among the six (now seven) lawful bases. No one basis is inherently better, safer, or more important than the others. Controllers must assess the specific purpose and context of the processing and select the basis that best fits the circumstances. If more than one basis applies, all must be identified and documented from the outset.

Interaction with data-subject rights

The choice of lawful basis affects which rights are available to individuals. For example, individuals have no right to erasure, data portability, or objection when processing is based on legal obligation or public task. However, the right to object to direct marketing is absolute, whatever lawful basis applies. Controllers must include the lawful basis in the privacy notice provided to data subjects (the right to be informed).

Special-category data and criminal-offence data

For special-category data (Art. 9) and criminal-offence data (Art. 10), controllers must identify both an Article 6 lawful basis and a separate condition for processing under Article 9 or 10 (supplemented by Schedule 1 of the Data Protection Act 2018). These do not need to be linked; a controller may, for instance, rely on legitimate interests under Article 6 and explicit consent under Article 9(2)(a) for the same processing.

Source: UK GDPR Article 6, legislation.gov.uk Source: Data Protection Act 2018, legislation.gov.uk Source: ICO, A guide to lawful basis

Article 9(1) UK GDPR prohibits the processing of special-category personal data—that is, personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation. Processing is permitted only if the controller identifies both an Article 6 lawful basis and one of ten conditions set out in Article 9(2).

Article 9 conditions operate as an additional layer of protection, not as a replacement for Article 6 lawful bases. The ICO guidance states that the choice of Article 6 lawful basis does not dictate which Article 9 condition applies, and vice versa; they are independent. Controllers must identify and document both.

The ten Article 9(2) conditions

Five conditions stand alone under Article 9(2); five others require an additional basis in UK domestic law, set out in Schedule 1 of the Data Protection Act 2018.

(a) Explicit consent The data subject has given explicit consent to the processing for one or more specific purposes. Article 9(2)(a) does not define "explicit," but ICO guidance interprets it to mean consent that is express, clear, and specific—for example, a signed statement or an opt-in to a clearly worded tick-box. The ICO notes that for many Article 9 conditions, controllers should be prepared to justify why explicit consent cannot be obtained.

(b) Employment, social security and social protection (if authorised by law) Processing is necessary for the purposes of carrying out obligations or exercising rights under employment, social security, or social protection law. Section 10(2) of the Data Protection Act 2018 requires that to rely on this condition, the controller must also meet Part 1, paragraph 1 of Schedule 1 to the DPA 2018, which requires that the processing be necessary for such purposes and that the processing is authorised by an enactment or rule of law or is necessary to comply with a legal obligation. Schedule 1, paragraph 5 requires the controller to maintain an appropriate policy document (APD).

(c) Vital interests Processing is necessary to protect the vital interests of the data subject or another natural person where the data subject is physically or legally incapable of giving consent. ICO guidance interprets this narrowly: it applies to matters of life and death, such as emergency medical treatment where the individual is unconscious or otherwise incapable of giving consent. The condition is not available if the individual is capable of consenting, even if they refuse.

(d) Not-for-profit bodies Processing is carried out by a foundation, association, or other not-for-profit body with a political, philosophical, religious, or trade union aim, in the course of its legitimate activities, with appropriate safeguards, and relates only to current or former members (or persons with regular contact related to that purpose). Article 9(2)(d) requires that the data not be disclosed outside the body without the data subject's consent.

(e) Made public by the data subject Processing relates to personal data which are manifestly made public by the data subject. The term "manifestly made public" is not defined in the UK GDPR. ICO guidance interprets this as assuming a deliberate act by the individual: it is not enough that the data is already in the public domain—the data subject must have taken the steps that made it public. The ICO confirms that even when this condition applies, controllers remain subject to all other UK GDPR obligations, including fairness, transparency, and respect for data-subject rights.

(f) Legal claims or judicial acts Processing is necessary for the establishment, exercise, or defence of legal claims or whenever courts are acting in their judicial capacity. ICO guidance states that "legal claims" in this context is not limited to current litigation but includes prospective or potential proceedings. No DPA Schedule 1 condition or APD is required.

(g) Reasons of substantial public interest (with a basis in law) Processing is necessary for reasons of substantial public interest, based on UK domestic law which is proportionate to the aim pursued and respects the essence of the right to data protection. Section 10(3) of the Data Protection Act 2018 requires that to rely on this condition, the controller must meet one of 23 specific substantial public interest conditions set out in Part 2 of Schedule 1 to the DPA 2018 (paragraphs 6 to 28). These include statutory and government purposes, administration of justice, equality of opportunity or treatment, preventing or detecting unlawful acts, protecting the public, regulatory requirements, journalism and academia, preventing fraud, and safeguarding children or individuals at risk. Schedule 1, paragraph 5 requires an APD for most of these conditions.

(h) Health or social care (with a basis in law) Processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services, based on UK domestic law or a contract with a health professional. Section 10(2) of the DPA 2018 provides that the relevant basis in UK law is Part 1, paragraph 2 of Schedule 1 to the DPA 2018. Article 9(3) UK GDPR and section 11 of the DPA 2018 require that processing be carried out by or under the responsibility of a professional subject to the obligation of professional secrecy under UK law or rules established by national competent bodies (such as a doctor, nurse, or social worker) or another person subject to an equivalent duty of confidentiality. Schedule 1, paragraph 5 requires an APD.

(i) Public health (with a basis in law) Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and medicinal products or medical devices, based on UK domestic law which provides for suitable and specific measures to safeguard data-subject rights, in particular professional secrecy. Recital 54 UK GDPR clarifies that "public health" includes health status, morbidity, disability, health determinants, and health-care outcomes. Section 10(2) of the DPA 2018 provides that the relevant basis in UK law is Part 1, paragraph 3 of Schedule 1 to the DPA 2018, which requires processing to be carried out by or under the responsibility of a health professional or another person owing a legal duty of confidentiality. Schedule 1, paragraph 5 requires an APD.

(j) Archiving, research and statistics (with a basis in law) Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89(1) UK GDPR, based on UK domestic law which is proportionate to the aim pursued and provides for suitable and specific safeguards. Section 10(2) of the DPA 2018 provides that the relevant basis in UK law is Part 1, paragraph 4 of Schedule 1 to the DPA 2018. Controllers must comply with the safeguards in Article 89(1) and section 19 of the DPA 2018, which include data minimisation, pseudonymisation where possible, and respect for data-subject rights. Schedule 1, paragraph 5 requires an APD.

The "necessary" test

Most of the conditions require processing to be "necessary" for a specified purpose. ICO guidance interprets "necessary" as more than merely useful or standard practice: processing must be a targeted and proportionate means of achieving the stated purpose. A condition will not apply if the purpose can reasonably be achieved by some other less intrusive means—in particular, by processing non-special-category data.

Inferred special-category data

ICO guidance clarifies that inferred data counts as special-category data if the controller's processing intends to make an inference linked to one of the special categories (such as ethnicity, beliefs, health status, or sexual orientation) or if the controller intends to treat someone differently on the basis of such inferred information. Under the ICO's interpretive position, Article 9 applies in these circumstances irrespective of the statistical confidence of the inference. Controllers must identify an Article 9 condition even when the special-category attribute is inferred rather than directly collected.

Appropriate policy document requirement

Schedule 1, paragraph 39 of the DPA 2018 requires controllers relying on certain Article 9 conditions—most of those under Article 9(2)(b), (g), (h), (i), or (j)—to maintain an appropriate policy document (APD). The APD must explain the controller's procedures for securing compliance with the Article 5 UK GDPR principles in connection with the processing of special-category data and set out the controller's policies for retaining and erasing such data. The ICO provides a template APD; the statutory minimum content is set out in Schedule 1, paragraph 39. The document must be retained for at least six months after the processing ceases and must be made available to the ICO on request.

Automated decision-making restrictions

Article 22(4) UK GDPR provides that solely automated decision-making (including profiling) that has legal or similarly significant effects may not be based on special-category data unless the processing is based on explicit consent under Article 9(2)(a) or is necessary for reasons of substantial public interest under Article 9(2)(g) and meets a Schedule 1 Part 2 condition, with suitable safeguards for the data subject's rights, freedoms, and legitimate interests in place.

Source: UK GDPR Article 9, legislation.gov.uk Source: Data Protection Act 2018, Schedule 1, legislation.gov.uk Source: ICO, Special category data — What are the rules on special category data? Source: ICO, Special category data — What are the conditions for processing?

Consent under Article 6(1)(a) UK GDPR is one of seven lawful bases for processing personal data. Article 4(11) UK GDPR defines consent as "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her."

Consent is not inherently superior to the other lawful bases. The ICO emphasises that controllers must choose the lawful basis that best reflects the true nature of the relationship with the individual and the purpose of the processing. If consent is difficult to obtain, this is often because a different lawful basis (such as contract, legal obligation, or legitimate interests) is more appropriate.

The four statutory validity criteria

Valid consent must satisfy all four elements of the Article 4(11) definition:

1. Freely given

Consent must offer individuals genuine choice and control. Article 7(4) UK GDPR provides that when assessing whether consent is freely given, "utmost account shall be taken of whether… the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract." Recital 43 UK GDPR adds that "consent is presumed not to be freely given… if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance."

The ICO interprets this strictly: if a controller makes consent a precondition of service and the processing is not objectively necessary for that service, consent is not freely given and is invalid. The ICO's guidance states that bundling consent with terms and conditions in this way is misleading and inherently unfair. In such cases, controllers should instead rely on Article 6(1)(b) (contract) if the processing is genuinely necessary for performance, or Article 6(1)(f) (legitimate interests) combined with transparent privacy information.

Recital 42 UK GDPR also requires that individuals must be able to refuse or withdraw consent without detriment. The ICO's view is that some incentivisation may be permissible—for example, offering money-off vouchers to customers who join a retailer's loyalty scheme and consent to marketing—but a clear penalty for refusal invalidates consent.

Recital 43 UK GDPR further warns that consent is unlikely to be freely given where there is a clear imbalance of power between controller and data subject, particularly for public authorities and employers. Public authorities performing public tasks and employers must take extra care to show that consent is freely given and should avoid over-reliance on this lawful basis.

2. Specific

Consent must cover a specific, identified purpose. If the processing has multiple purposes, consent must be obtained separately for each purpose (granular consent). Recital 32 UK GDPR states: "Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them." The ICO requires controllers to offer separate, distinct opt-in options for different purposes and types of processing.

Recital 42 UK GDPR requires that the individual must know the identity of the controller. This means the controller must identify itself by name, and also name any third-party controllers who will rely on the same consent. If a controller buys in "consented" data from a third party, that consent is only valid for the controller's own processing if it was specifically named at the time consent was obtained.

3. Informed

The individual must understand what they are consenting to. The request for consent must be in clear, plain language. Recital 32 UK GDPR provides that if the consent request is given by electronic means, "the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided." The ICO notes that this is not an exemption—avoiding disruption does not override the need for clarity and specificity, and some level of disruption may be necessary to obtain valid consent.

If the request is vague, sweeping, or uses language likely to confuse (such as double negatives or inconsistent terminology), consent is invalid.

4. Unambiguous

Consent requires a clear affirmative action. Recital 32 UK GDPR provides: "Consent should be given by a clear affirmative act… such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent."

The ICO interprets this as requiring a deliberate, positive opt-in. Acceptable methods include ticking an empty checkbox, signing a consent statement, oral confirmation, a binary choice presented with equal prominence, or actively switching technical settings. Pre-ticked boxes, inactivity, silence, and bundled acceptance within general terms and conditions are all invalid.

Verifiability requirement — Article 7(1)

Article 7(1) UK GDPR requires controllers to be able to demonstrate that a data subject has consented. Controllers must keep records of who consented, when, how, and what they were told at the time. The ICO's detailed guidance recommends that these records include the consent mechanism used, the consent wording presented, and the individual's consent response. Controllers should also keep consent under review and refresh it at appropriate intervals if the relationship, processing, or purposes change.

Right to withdraw consent — Article 7(3)

Article 7(3) UK GDPR provides: "The data subject shall have the right to withdraw his or her consent at any time." Withdrawal must be as easy as giving consent. Controllers must tell individuals about their right to withdraw and provide easy mechanisms to do so at any time. Once consent is withdrawn, the controller must stop the processing and, in most cases, delete the personal data gathered under that consent (subject to any other lawful basis or legal obligation to retain). Article 19 UK GDPR requires controllers to notify each recipient to whom the personal data has been disclosed of the withdrawal, unless this proves impossible or involves disproportionate effort.

Explicit consent under Article 9(2)(a)

Consent under Article 6(1)(a) is distinct from the explicit consent required for processing special-category data under Article 9(2)(a) UK GDPR. The ICO guidance states that explicit consent must be affirmed in a clear statement, whether oral or written. The Article 4(11) definition allows consent to be signified either by a statement (which counts as explicit) or by a clear affirmative action (which does not). Consent inferred from conduct, however obvious, cannot be explicit consent.

Consent and children — Article 8 UK GDPR

Article 8(1) UK GDPR (as modified by section 9 of the Data Protection Act 2018) sets the age of consent for information society services (ISS) at 13 years in the UK. If a controller offers an ISS directly to a child and relies on consent, processing of a child's personal data is lawful where the child is at least 13 years old. For children under 13, the controller must obtain consent from a person holding parental responsibility. Article 8(2) UK GDPR requires controllers to make reasonable efforts, taking into consideration available technology, to verify that any person giving consent on behalf of a child under 13 does in fact hold parental responsibility. The ICO states that a data protection impact assessment (DPIA) should help controllers decide what verification steps are reasonable in the event of a complaint.

Not always appropriate

The ICO guidance stresses that consent is not always the most appropriate lawful basis, even when processing personal data for purposes such as marketing, research, or profiling. Controllers should consider the five other Article 6 lawful bases (or, following the Data (Use and Access) Act 2025, the six other bases including the new recognised legitimate interests under Article 6(1)(ea)). Consent's strict requirements—particularly the right to withdraw at any time—make it unsuitable when the processing is genuinely necessary for the controller's operations or when the controller cannot easily cease processing on request. In those circumstances, another lawful basis is likely more appropriate.

Interaction with PECR cookie consent

The consent requirements for cookies and similar storage and access technologies are defined by the Privacy and Electronic Communications Regulations 2003 (PECR), not the UK GDPR. PECR requires that either the "user" or the "subscriber" must consent to the setting of non-exempt cookies on the user's device. However, the ICO confirms that for PECR consent to be valid, the person providing it must understand what they are consenting to; this means controllers must apply the UK GDPR's consent standards (freely given, specific, informed, unambiguous) when seeking cookie consent as well.

Source: UK GDPR Article 4(11), legislation.gov.uk Source: UK GDPR Article 6, legislation.gov.uk Source: UK GDPR Article 7, legislation.gov.uk Source: UK GDPR Recital 32, legislation.gov.uk Source: ICO, What is valid consent? Source: ICO, Consent

Article 6(1)(f) UK GDPR permits processing when it is "necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child." Legitimate interests is the most flexible of the seven lawful bases under Article 6, but it also places the greatest responsibility on the controller: the controller must identify a legitimate interest, demonstrate necessity, and affirmatively balance that interest against the data subject's rights and freedoms.

The three-part test

The three-part test is not explicitly set out in the UK GDPR, but the ICO interprets Article 6(1)(f) as requiring controllers to satisfy three sequential elements before processing begins. The test originates from the Court of Justice of the European Union's judgment in Rigas (C-13/16, 4 May 2017), which concerned legitimate interests in an earlier data protection directive; the CJEU's reasoning is retained case law for the UK post-Brexit.

1. Purpose test: identify the legitimate interest

The controller must identify a specific, real-world legitimate interest. This can be the controller's own interest (such as preventing fraud, ensuring network security, or growing the business), a third party's interest (including another individual or organisation), or the public's interest in the processing. The UK GDPR does not prescribe what qualifies as a "legitimate" interest; the ICO confirms that trivial, controversial, or commercial interests can all be legitimate. Article 6 UK GDPR, as amended by the Data (Use and Access) Act 2025, expressly identifies three examples of interests that may be legitimate: (a) direct marketing; (b) intra-group transmission of personal data for internal administrative purposes; and (c) ensuring the security of network and information systems. However, the ICO emphasises that these examples do not create a presumption; even when a purpose falls within one of the three examples, the controller must still complete the necessity and balancing tests and document the outcome in a Legitimate Interests Assessment (LIA).

2. Necessity test: is processing necessary for that purpose?

Processing is necessary only if it is a targeted and proportionate means of achieving the identified legitimate interest. The ICO interprets "necessary" as more than merely useful, convenient, or standard industry practice. If the controller can reasonably achieve the same purpose by processing less personal data, by processing non-personal data, or by using a less intrusive method, the necessity test is not met. Controllers should document what alternative measures they considered and why processing this personal data in this manner is the least intrusive option that will actually achieve the purpose.

3. Balancing test: do the data subject's interests, rights, or freedoms override the legitimate interest?

The controller must weigh the legitimate interest against the data subject's "interests or fundamental rights and freedoms." This is a light-touch risk assessment, not a full Data Protection Impact Assessment (DPIA), though if the LIA identifies potential high risks to data subjects' rights and freedoms, a DPIA is then required under Article 35 UK GDPR. The ICO guidance identifies key factors for the balancing test:

• Reasonable expectations. Would the data subject reasonably expect this processing in the context of the controller–data-subject relationship? If the processing would surprise or concern the data subject, the balance is likely to tip against the controller. Recital 47 UK GDPR states that a "relevant and appropriate relationship" between the data subject and the controller (for example, where the data subject is a customer or in the service of the controller) may support a finding that the processing is within reasonable expectations.

• Nature of the personal data. Processing special-category data (Article 9), criminal-offence data (Article 10), or children's data raises the bar significantly. Article 6(1)(f) itself states "in particular where the data subject is a child," signalling that children merit heightened protection. The ICO's position is that legitimate interests is rarely appropriate for special-category data or for profiling children, even if an Article 9 condition is also met.

• Impact on the data subject. What are the consequences of the processing for the individual? Is it intrusive, likely to cause harm or distress, or likely to limit the individual's control over their own data? Processing that causes substantial damage, distress, or unfair discrimination will typically fail the balancing test.

• Safeguards. What technical or organisational measures has the controller put in place to reduce the impact? Examples include pseudonymisation, access controls, transparency (clear privacy notices), and offering an easy opt-out mechanism. Strong safeguards can tip the balance in favour of the controller.

If, after weighing these factors, the data subject's interests, rights, or freedoms outweigh the controller's legitimate interest, Article 6(1)(f) does not apply. The ICO advises that if the outcome of the balancing test is uncertain or close, controllers should consider a different lawful basis (such as consent, if the controller is willing to give the data subject full control).

The Legitimate Interests Assessment (LIA) and documentation requirement

The ICO requires controllers to conduct and document a Legitimate Interests Assessment before they begin processing. There is no prescribed form for an LIA, but it must address all three parts of the test. The ICO publishes a sample LIA template. Controllers should record the outcome of each stage, including all relevant factors, whether those factors support or undermine the controller's conclusion. This demonstrates that the controller has considered the full picture before deciding to rely on legitimate interests, and it helps the controller meet the UK GDPR's accountability principle (Article 5(2)).

Controllers should refresh the LIA whenever anything significant changes—for example, if the purpose, the nature of the data, the context, or the relationship with the data subject changes. If a new, unforeseen impact arises, the controller should revisit the balancing test and consider whether additional safeguards are needed.

Restriction for public authorities performing public tasks

Article 6(1)(f) UK GDPR provides that legitimate interests "shall not apply to processing carried out by public authorities in the performance of their tasks." Section 7 of the Data Protection Act 2018 defines "public authority" to include bodies defined by the Freedom of Information Act 2000 and the Freedom of Information (Scotland) Act 2002, and bodies performing a task in the public interest or exercising official authority. When a public authority is performing a public task, it must rely on Article 6(1)(e) (public task) instead. Public authorities may rely on legitimate interests for processing unrelated to their public tasks—for example, managing their own employees or premises—but not for the core functions they were established to perform.

Right to object — Article 21 UK GDPR

Data subjects have the right to object to processing based on legitimate interests under Article 21(1) UK GDPR. The right to object is not absolute (except for direct marketing under Article 21(2)). When a data subject objects to processing based on Article 6(1)(f), the controller must stop processing unless it can demonstrate "compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject" or the processing is necessary for the establishment, exercise, or defence of legal claims. This is a higher bar than the balancing test conducted in the LIA: the controller must show that its grounds are compelling, not merely that they tip the balance. The ICO advises that controllers cannot simply repeat the LIA balancing test; they must take into account the individual's specific reasons for objecting.

For direct marketing, the right to object is absolute under Article 21(3). If a data subject objects to processing for direct marketing purposes, the controller must stop that processing immediately, and no compelling legitimate grounds can override the objection. This applies regardless of the lawful basis (even if the controller initially relied on Article 6(1)(f) or the new Article 6(1)(ea) recognised legitimate interests for direct marketing).

Relationship to the new Article 6(1)(ea) recognised legitimate interests

The Data (Use and Access) Act 2025 (Royal Assent June 2025) inserted a new Article 6(1)(ea) into the UK GDPR: processing is lawful if it is "necessary for the purposes of a recognised legitimate interest." The recognised legitimate interests are set out in new Annex 1 to the UK GDPR and include crime prevention, safeguarding vulnerable individuals, responding to emergencies, safeguarding national security, and assisting public authorities in delivering public-interest tasks. Processing under Article 6(1)(ea) must still be necessary, but it does not require the controller to complete a balancing test in advance. The new basis is available only to non-public-sector controllers; public authorities performing their public tasks cannot rely on Article 6(1)(ea) (mirroring the restriction for Article 6(1)(f)). Where a controller's purpose falls within one of the Annex 1 recognised legitimate interests, the controller may choose between Article 6(1)(f) (with a full LIA) and Article 6(1)(ea) (necessity only, no balancing test). The ICO has not yet published detailed guidance on when each basis is more appropriate, but the statutory design suggests that Article 6(1)(ea) is intended for high-societal-value processing where the legislature has already determined that the public interest in processing outweighs typical data-subject objections.

Interaction with data-subject rights

The choice of lawful basis affects which data-subject rights are available. When processing is based on legitimate interests (Article 6(1)(f) or (ea)), data subjects retain most rights under Chapter III UK GDPR, including the rights of access (Article 15), rectification (Article 16), erasure (Article 17), restriction (Article 18), and objection (Article 21). However, the right to data portability (Article 20) does not apply to processing based on legitimate interests; it applies only when processing is based on consent (Article 6(1)(a)) or contract (Article 6(1)(b)) and is carried out by automated means.

Transparency requirement

Article 13(1)(d) UK GDPR requires that when a controller collects personal data from the data subject, the controller must inform the data subject of "the legitimate interests pursued by the controller or by a third party" if processing is based on Article 6(1)(f). This is in addition to the standard privacy-notice contents. The controller must clearly explain what the legitimate interest is—vague or generic statements ("to improve our services" or "for business purposes") do not meet the transparency standard. Controllers should explain the specific interest and, where relevant, refer the data subject to the LIA or to a summary of the balancing outcome.

Source: UK GDPR Article 6, legislation.gov.uk Source: Data Protection Act 2018 section 7, legislation.gov.uk Source: ICO, What is the 'legitimate interests' basis? Source: ICO, How do we apply legitimate interests in practice? Source: ICO, When can we rely on legitimate interests?

Article 6(1)(b) UK GDPR permits processing when it is "necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract." This lawful basis is essential for e-commerce, SaaS subscriptions, employment relationships, and any service delivery governed by contract. The ICO interprets the necessity requirement strictly: processing must be integral to delivering the contractual service to that specific individual, not merely useful to the controller's wider business model.

Recital 44 UK GDPR provides interpretive context: "Processing should be lawful where it is necessary in the context of a contract or the intention to enter into a contract." The recital was retained in UK domestic law under section 3 of the European Union (Withdrawal) Act 2018 and continues to inform the interpretation of Article 6(1)(b).

Two limbs of Article 6(1)(b)

Article 6(1)(b) covers two distinct scenarios:

1. Processing necessary to perform an existing contract with the data subject

This applies when the controller has a binding contract with the individual and processing personal data is required to fulfil the controller's obligations or to enable the data subject to comply with their counter-obligations. Common examples include processing a customer's delivery address to ship goods purchased under a sales contract, processing payment details to execute a transaction, processing an employee's bank details to pay wages under an employment contract, and processing account credentials to provide access to a subscription service. The ICO emphasises that the processing must be objectively necessary for contract performance—that is, the controller could not reasonably deliver the contractual service without it.

2. Processing necessary to take pre-contractual steps at the request of the data subject

This applies before a contract is formed, when the individual has asked the controller to do something as a preliminary to entering into a contract. Examples include processing personal information to provide a quote for insurance or financial services, to verify eligibility for a service the individual wishes to purchase, or to set up an account before the first transaction. The individual must have initiated or requested the steps; the controller cannot unilaterally declare that processing is pre-contractual if the individual has not asked for it.

The "necessary" test — strictly construed

Article 6(1)(b) turns on whether processing is "necessary." The ICO's guidance interprets this term strictly. Necessity does not mean "absolutely the only way" to perform the contract, but it must be more than merely useful, convenient, or standard industry practice. Processing is necessary only if it is a targeted and proportionate step that is integral to delivering the contractual service or taking the requested pre-contractual action. The ICO states that this lawful basis does not apply if there are other reasonable and less intrusive ways to deliver the contractual service, or if the purpose can be achieved by processing less data or using non-personal data.

Crucially, the processing must be necessary to perform the contract with this particular person. If the processing is instead necessary to maintain the controller's wider business model, to improve service quality generally, or is included in the terms and conditions for purposes beyond delivering the specific service the individual contracted for, Article 6(1)(b) does not apply. In those cases, the controller should rely on another lawful basis, most commonly legitimate interests under Article 6(1)(f).

Impermissible bundling of non-contractual processing

The ICO warns against the common misapplication of relying on "contract" for processing that is not genuinely necessary for contract performance but is simply bundled into the controller's standard terms and conditions. Article 7(4) UK GDPR provides that when assessing whether consent is freely given, "utmost account shall be taken of whether… the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract." Recital 43 UK GDPR extends this principle, stating that "consent is presumed not to be freely given… if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance."

The ICO interprets these provisions as precluding controllers from making service conditional on processing that is not objectively necessary for that service. For example, a music-streaming service cannot rely on Article 6(1)(b) for personalised advertising or behavioural profiling, even if those features are described in the terms of service, because the core contractual service (streaming music) can be delivered without them. Such processing requires a different lawful basis—typically legitimate interests (with a full balancing test documented in a Legitimate Interests Assessment) or, if the controller wishes to give individuals full control, consent.

The EDPB (European Data Protection Board) adopted final guidelines on processing under Article 6(1)(b) in the context of online services in October 2019. These guidelines are not binding on the UK regime post-Brexit, but the ICO's interpretive position aligns closely with the EDPB's strict reading: the contract basis is not available for ancillary or value-added processing that is separate from the core service, even if that processing is commercially valuable to the controller.

Contracts with children under 18

If the contract is with a child under 18, controllers must consider whether the child has the necessary legal competence to enter into the contract under UK law. The common-law position is that contracts with minors are voidable at the minor's option unless they are for "necessaries" (goods or services suitable to the child's condition in life and to their actual requirements at the time). If the controller has doubts about the child's contractual capacity, the contract may be void or voidable, and in that case the processing cannot be justified under Article 6(1)(b). The ICO advises that controllers may wish to consider an alternative lawful basis, such as legitimate interests, which requires a balancing test that explicitly accounts for the child's rights and interests. Article 6(1)(f) itself states "in particular where the data subject is a child," signalling heightened protection for children under the legitimate-interests basis.

No consent required if processing is necessary for the contract

If processing is genuinely necessary for the contract under Article 6(1)(b), the controller does not need to obtain separate consent. Indeed, the ICO cautions that asking for consent in this scenario is misleading and risks "consent fatigue," because the individual has no real choice—they cannot receive the service without the processing. Bundling unnecessary processing with a purported consent request within terms and conditions is also problematic: if the processing is genuinely necessary, the lawful basis is contract, not consent; if it is not necessary, then conditioning the service on it renders any "consent" invalid as not freely given.

If the controller is processing special-category data (Article 9 UK GDPR) and that processing is necessary for the contract, the controller must also identify a separate Article 9(2) condition. Article 6(1)(b) is the lawful basis, but it does not satisfy the additional layer of protection required for special-category data. The ICO's guidance on special category data notes that most of the Article 9 conditions are narrowly drawn, and relying on Article 6(1)(b) plus an Article 9 condition for contract performance is less common than relying on explicit consent (Article 9(2)(a)) or one of the substantial-public-interest conditions (Article 9(2)(g) plus a Part 2 Schedule 1 condition under the Data Protection Act 2018).

Impact on data-subject rights

The choice of Article 6(1)(b) affects which data-subject rights apply. Individuals processed under the contract lawful basis have no right to object under Article 21 UK GDPR (the right to object applies only to processing based on public task or legitimate interests) and no right to erasure under Article 17 if the processing remains necessary for contract performance. However, individuals do have a right to data portability under Article 20 UK GDPR when processing is based on contract (or consent) and is carried out by automated means. The controller must provide the personal data the individual provided in a structured, commonly used, machine-readable format, and the individual has the right to transmit that data to another controller. Recital 68 UK GDPR (retained in UK law) clarifies that the right to data portability "should not prejudice the right of the data subject to obtain the erasure of personal data… and should, in particular, not imply the erasure of personal data concerning the data subject which have been provided by him or her for the performance of a contract to the extent that and for as long as the personal data are necessary for the performance of that contract."

Transparency requirement

Controllers relying on Article 6(1)(b) must include information about the lawful basis in the privacy notice provided to data subjects under Articles 13 or 14 UK GDPR. The controller must explain the purposes of the processing and identify "contract" as the lawful basis. The ICO emphasises that vague statements such as "we process your data to provide our services" do not meet the transparency standard; the controller should specify which processing is necessary for which aspect of contract performance.

Documentation and accountability

The ICO requires controllers to document their decision that processing is necessary for the contract and to be able to justify that reasoning on request. This is an aspect of the accountability principle under Article 5(2) UK GDPR. Controllers should maintain a record of processing activities (ROPA) under Article 30 UK GDPR that identifies the lawful basis for each processing purpose, and should be prepared to explain why the processing could not reasonably be accomplished by less intrusive means or by processing less data.

Source: UK GDPR Article 6(1)(b), legislation.gov.uk Source: UK GDPR Recital 44, legislation.gov.uk Source: ICO, Contract

Article 6(1)(b) UK GDPR permits processing when it is "necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract." This lawful basis is commonly relied upon in commercial settings—SaaS, e-commerce, employment, banking—but its scope is narrower than many controllers assume. The ICO interprets the necessity requirement strictly: processing must be objectively integral to delivering the contractual service to the individual, not merely useful to the controller's business model or mentioned in the terms and conditions.

The two limbs of Article 6(1)(b)

The lawful basis covers two distinct scenarios:

1. Performance of an existing contract. Processing is necessary to fulfil the controller's obligations under a contract with the data subject, or to enable the data subject to comply with their counter-obligations (for example, processing payment details so the customer can pay).

1. Pre-contractual steps at the data subject's request. Processing is necessary to take steps that the data subject has asked the controller to take before entering into a contract—for example, processing personal data to provide a quote, an eligibility assessment, or a product recommendation that the individual has requested.

The second limb requires that the individual has requested the step. If the controller unilaterally decides to take a pre-contractual step (such as running a credit check the individual did not request), Article 6(1)(b) does not apply, and the controller must identify a different lawful basis.

The strict necessity test: integral, not merely useful

The ICO's guidance on contract explains that "necessary" means more than useful, convenient, or standard industry practice. Processing is necessary only if it is "a targeted and proportionate step which is integral to delivering the contractual service or taking the requested action." The lawful basis does not apply "if there are other reasonable and less intrusive ways to deliver the contractual service or take the steps requested."

The ICO emphasizes that "the processing must be necessary to perform the contract with this particular person. If the processing is instead necessary to maintain your business model more generally, or is included in your terms for other business purposes beyond delivering the contractual service, this lawful basis will not apply." In those circumstances, controllers should consider Article 6(1)(f) legitimate interests (with a balancing test) or Article 6(1)(a) consent.

The contractual-mention fallacy

Including a processing activity in the terms and conditions does not, by itself, make that processing "necessary for the performance of a contract." The ICO warns that processing must be "more than just useful, and more than just part of your standard terms." The test is whether the processing is objectively integral to the service the individual has requested, not whether the controller has unilaterally declared it to be a contractual requirement.

Recital 44 UK GDPR provides that "processing should be lawful where it is necessary in the context of a contract or the intention to enter into a contract." The ICO interprets this as requiring the processing to be intrinsic to the service, not merely associated with it.

Profiling, personalization, and targeted advertising: rarely necessary

The ICO's contract guidance includes a worked example: "the profiling of an individual's interests and preferences based on items purchased is not necessary for the performance of the contract and the controller cannot rely on Article 6(1)(b) as the lawful basis for this processing. Even if this type of targeted advertising is a useful part of your customer relationship and is a necessary part of your business model, it is not necessary to perform the contract itself."

The guidance confirms that "this does not mean that processing which is not necessary for the contract is automatically unlawful, but rather that you need to look for a different lawful basis (and other safeguards such as the right to object may come into play)."

The ICO's AI guidance applies the same logic to AI-driven personalization: processing personal data by an AI system to personalize content may be regarded as necessary for the performance of a contract "but only in some cases." Whether the processing is intrinsic depends on "whether you can provide your service without this processing (ie if the personalisation of content by means of an AI system is not integral to the service, you should consider an alternative lawful basis)."

Contracts with children

The ICO notes that if the contract is with a child under 18, "you need to consider whether they have the necessary competence to enter into a contract." If there are doubts about competence, "you may wish to consider an alternative basis such as legitimate interests, which can help you to demonstrate that the child's rights and interests are properly considered and protected."

Processing special-category data on the contract basis

If processing of special-category data (Article 9) is necessary for the contract, the controller must identify both an Article 6 lawful basis and a separate Article 9 condition. Article 6(1)(b) can serve as the Article 6 basis, but the controller must still meet one of the ten conditions under Article 9(2).

The ICO confirms that explicit consent under Article 9(2)(a) may be available as the Article 9 condition even if the processing is a condition of the service, provided "you must be confident that you can demonstrate that consent is still freely given. In particular, that the processing is objectively necessary to perform a requested element of the service, and not bundled together with other elements of the service or included in your terms for broader business purposes." The ICO's published example: a gym that introduces a facial recognition system and requires all members to agree to facial recognition as a condition of entry, with no alternative access method, is not obtaining valid consent, because "although facial recognition might have some security and convenience benefits, it is not objectively necessary in order to provide access to gym facilities."

No right to object (except for direct marketing)

When processing is based on Article 6(1)(b) contract, the data subject does not have the right to object under Article 21(1) UK GDPR, except for the absolute right to object to direct marketing under Article 21(2)/(3), which applies regardless of lawful basis. The ICO confirms that "if you are processing on the basis of contract, the individual's right to object and right not to be subject to a decision based solely on automated processing will not apply."

The right to data portability under Article 20 UK GDPR does apply when processing is based on contract and the processing is carried out by automated means. Data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.

Documentation and transparency requirements

The ICO requires controllers to "document your decision to rely on this lawful basis and ensure that you can justify your reasoning." Controllers should record what processing is being carried out, why it is necessary for the contract with the individual, and what alternative, less intrusive methods were considered.

Controllers relying on Article 6(1)(b) must include information about the lawful basis in the privacy notice provided to data subjects at the point of data collection (Articles 13 and 14 UK GDPR). Generic statements that processing is "to provide our services" or "to perform the contract" are insufficient; the controller must clearly explain what specific processing is necessary for what specific contractual purpose.

Interaction with EDPB Guidelines 2/2019

The European Data Protection Board (EDPB) published Guidelines 2/2019 on processing under Article 6(1)(b) in the context of online services (adopted 8 October 2019), interpreting the contract lawful basis narrowly for behavioral advertising and personalized content delivery. The ICO notes that "EDPB guidelines are no longer be directly relevant to the UK regime and are not binding under the UK regime." However, the ICO's own guidance on Article 6(1)(b) reflects a similar interpretive position: that the contract basis applies only to processing that is objectively integral to the service requested by the individual.

Source: UK GDPR Article 6, legislation.gov.uk Source: UK GDPR Recital 44, legislation.gov.uk Source: ICO, Contract (lawful basis guidance) Source: ICO, When is consent appropriate? Source: ICO, How do we ensure lawfulness in AI?

Article 10 UK GDPR imposes a distinct layer of protection for personal data relating to criminal convictions, offences, or related security measures. Processing such data is lawful only if carried out under the control of official authority or when authorised by domestic (or, as of 20 August 2025, relevant international) law with appropriate safeguards. Controllers must satisfy both an Article 6 lawful basis and an Article 10 condition before processing criminal-offence data.

Scope — what is criminal-offence data?

Article 10(1) UK GDPR applies to "personal data relating to criminal convictions and offences or related security measures." Section 11(2) of the Data Protection Act 2018 expands this definition to include personal data relating to (a) the alleged commission of offences by the data subject, or (b) proceedings for an offence committed or alleged to have been committed by the data subject. The ICO confirms that criminal-offence data covers not only confirmed convictions and trials but also allegations, investigations, and criminal proceedings. The term "relating to" is interpreted broadly to include any personal data linked to criminal offences or used to assess an individual's criminal record or behaviour.

Importantly, Article 10 applies only to the personal data of offenders or suspected offenders. Information about victims or witnesses of crime is not criminal-offence data (unless it also identifies an offender or suspected offender) and does not require a Schedule 1 condition, though such data may still be special-category data under Article 9 if it reveals, for example, health information about injuries.

Personal data contained in a criminal record check—such as a Disclosure and Barring Service (DBS) check—is criminal-offence data under Article 10 even when the check reveals no convictions, because the data relates to the assessment of the individual's criminal history.

Dual-layer requirement — Article 6 lawful basis + Article 10 condition

Article 10 does not replace or override the requirement for an Article 6 lawful basis. Controllers must identify both:

• an Article 6 lawful basis for processing the personal data (consent, contract, legal obligation, vital interests, public task, or legitimate interests, or—as of 20 August 2025—recognised legitimate interests under Article 6(1)(ea)); and
• either official authority or a Schedule 1 condition authorising the processing of criminal-offence data under Article 10.

The ICO emphasises that these are independent requirements. The choice of Article 6 lawful basis does not dictate which Article 10 condition applies, and vice versa. For example, a controller may rely on legitimate interests under Article 6(1)(f) and the "preventing or detecting unlawful acts" condition under Schedule 1, paragraph 10, for the same processing.

If a controller relies on legitimate interests as the Article 6 lawful basis, the controller must take into account the particular risks associated with criminal-offence data when conducting its Legitimate Interests Assessment (LIA) and may need to implement more robust safeguards.

Processing under the control of official authority

If processing is carried out "under the control of official authority," the controller does not need to identify a Schedule 1 condition. Public authorities or private bodies vested with public-sector tasks may have official authority laid down by statute or common law to process criminal-offence data. For example, a public authority maintaining a landlords register containing information about private landlords who have been prosecuted or fined may have official authority to control and maintain the register and therefore does not require a Schedule 1 condition.

In contrast, an organisation that does not have official authority must identify a Schedule 1 condition. Section 10(5) of the DPA 2018 provides that processing not carried out under the control of official authority meets the Article 10(1) authorisation requirement only if it meets a condition in Part 1, 2, or 3 of Schedule 1 to the DPA 2018.

The 28 Schedule 1 conditions for criminal-offence data

Schedule 1 to the DPA 2018 sets out 28 conditions for processing criminal-offence data (paragraphs 1 to 37 of Schedule 1, though some paragraphs apply only to special-category data). The conditions fall into three Parts:

• Part 1 (paragraphs 1–4) — employment, social security, and social protection; health or social care; public health; archiving, research, and statistics.
• Part 2 (paragraphs 6–28) — substantial public interest conditions, including statutory and government purposes, administration of justice, equality of opportunity, preventing or detecting unlawful acts, regulatory requirements, journalism and academia, and preventing fraud.
• Part 3 (paragraphs 29–37) — consent, protecting vital interests, not-for-profit bodies, personal data in the public domain, legal claims, judicial acts, and specific safeguarding purposes.

Many of the Part 3 conditions mirror the Article 9(2) conditions for special-category data, but they are set out in Schedule 1 rather than in Article 10 itself. Paragraphs 29 to 34 of Schedule 1 are similar to the Article 9 conditions but are applied differently for criminal-offence data. For example, Schedule 1, paragraph 29, permits processing based on consent, but the ICO confirms that consent under this condition must satisfy the Article 4(11) UK GDPR validity requirements (freely given, specific, informed, and unambiguous). In many employment contexts—such as requiring employees to undergo DBS checks—consent will not be freely given and is therefore invalid; in such cases, controllers must rely on a different condition (typically paragraph 1, employment, social security, and social protection, or paragraph 10, preventing or detecting unlawful acts).

Appropriate policy document requirement

Schedule 1, paragraph 5, requires controllers relying on certain conditions to maintain an appropriate policy document (APD) before processing begins. The APD requirement applies to most Part 1 and Part 2 conditions but not to all Part 3 conditions. Specifically, controllers relying on paragraphs 10 (preventing or detecting unlawful acts) or 27 (disclosure to elected representatives) do not need an APD solely for the purpose of disclosing data to the relevant authorities (or preparing to disclose it), though an APD is still required for other processing activities under those conditions.

Schedule 1, paragraph 39, sets out the minimum content of an APD: it must explain the controller's procedures for securing compliance with the Article 5 UK GDPR principles in connection with the processing of criminal-offence data and set out the controller's policies for retaining and erasing such data. The ICO publishes a template APD. Controllers must retain the APD for at least six months after the processing ceases and must make it available to the ICO on request. The document must be kept under review.

Comprehensive registers — Article 10(1) second sentence

Article 10(1) UK GDPR provides a second rule: "Any comprehensive register of criminal convictions shall be kept only under the control of official authority." The ICO interprets a "comprehensive register" as a database of criminal convictions shared between different organisations—for example, an industry blocklist of employees with criminal convictions shared between employers in a sector as a recruitment screening tool. The ICO confirms that such registers are prohibited unless the organisation has official authority laid down in law to maintain them. In most cases, maintaining an industry blocklist based on criminal-offence data without official authority will contravene Article 10.

The prohibition does not apply to records held by an organisation about its own employees; it applies only to registers covering individuals across multiple organisations.

Interaction with Part 3 of the DPA 2018 (law enforcement processing)

Article 10 applies when processing is subject to the UK GDPR (Part 2 of the DPA 2018). If processing is carried out by a competent authority for law enforcement purposes as defined in section 31 of the DPA 2018 (the prevention, investigation, detection, or prosecution of criminal offences or the execution of criminal penalties), the processing is instead subject to Part 3 of the DPA 2018, not Article 10. However, competent authorities processing criminal-offence data for non-law-enforcement purposes—such as human resources functions—must comply with Article 10 and the Schedule 1 conditions.

DPIA, data minimisation, and transparency obligations

The ICO confirms that use of criminal-offence data, particularly on a large scale, increases the need for documentation, data protection impact assessments (DPIAs), and data protection officers (DPOs). Controllers must carry out a DPIA for any processing that is likely to be high risk. Article 35(3)(b) UK GDPR requires a DPIA for processing on a large scale of special categories of data under Article 9(1) or personal data relating to criminal convictions and offences under Article 10. The ICO recommends that controllers carry out a DPIA whenever processing criminal-offence data on a large scale or to determine access to a product, service, opportunity, or benefit.

Controllers must also apply the data minimisation principle rigorously: criminal-offence data should be processed only where necessary and proportionate to the purpose, and controllers must not hold more data than they need.

No exemption from Article 10

The ICO confirms that the only exemption from Article 10 is the public interest exemption for journalism, academia, art, or literature (Schedule 2, Part 5, paragraph 26, of the DPA 2018). There are no other exemptions. The ICO cannot authorise the use of criminal-offence data in the absence of an official authority or a Schedule 1 condition. Adding further conditions would require new legislation by the UK government.

Source: UK GDPR Article 10, legislation.gov.uk Source: Data Protection Act 2018, section 10, legislation.gov.uk Source: Data Protection Act 2018, section 11, legislation.gov.uk Source: Data Protection Act 2018, Schedule 1, legislation.gov.uk Source: ICO, What are the rules on criminal offence data? Source: ICO, What is criminal offence data? Source: ICO, What are the conditions for processing?