Legal obligations as a legal basis

Next to contracts, consent, vital Interests, legitimate interests and public tasks the other legal basis to process data is a legal obligation (according to the UK General Data Protection Regulation – UK-GDPR). A business would choose a legal obligation as its lawful base, if they want to process personal information to comply with a common law or a statutory obligation. However, there are a few important points to consider.

Legal bases under UK data protection law

How to process personal data based on legal obligation

To use legal obligation as a legal basis for processing personal data, there are some conditions in play like

  • legal provisions must establish a clear and specific obligation to process that personal data,
  • legal provisions must at least define the purposes of the processing, or
  • the legal obligation should be imposed on the controller and not on the data subject.

This is best achieved by following a couple of pointers down below:

Identify relevant legal obligations

Clearly identify the specific legal obligations that require you to process personal data. This could include statutory or regulatory requirements imposed by national or international laws. It’s essential to determine the exact nature of the legal obligations and how they relate to your data processing activities.


Document the legal basis for processing personal data based on the necessity of processing for compliance with a legal obligation. This documentation should be part of your organisation’s data protection policies and record of processing activities (ROPA) according to Art. 30 UK GDPR to demonstrate your compliance efforts.

Regular review

Periodically review and update your understanding of the relevant legal obligations. Laws and regulations can change over time, so it’s important to stay up-to-date and make necessary adjustments to your data processing practices.

Tip: Sign up for our free newsletter on data protection and compliance to immediately learn about important changes in regulations and current rulings.

Data minimisation

Only process the minimum amount of personal data necessary to fulfil the legal obligation. Avoid processing additional data that is not directly required by the legal requirement. This means in particular that data, for example for sending newsletters or customer contact, cannot be merged with data for the fulfilment of legal obligations.

Data retention

Determine how long you need to retain the personal data to comply with the legal obligation. Once the data is no longer necessary for this purpose, it should be securely deleted or anonymised. Such retention periods can also origin within your legal obligation to start the processing.

Information obligations

As a controller you need to inform data subjects about your processing of their data according to Art. 13 and 14 UK GDPR. This information also includes details to the legal basis you rely the processing upon. Therefore, you are obliged to not only inform in a legal obligation to process the data, but should also name the specifics of such obligation.


As a company, always investigate whether there is a legal obligation for data processing, such as from tax laws, social security laws, accounting or, in certain cases, from police law, such as for airlines to keep records of the customers on board of their airplane.

Note: Even if there is a legal obligation to process personal data, you must still comply with all other requirements for the protection of this data. The obligation to process certain data does not release you from the requirements of data protection law.

If you are unsure whether this type of legal basis is relevant for your processing activities, please feel free to contact our experts, who will be happy to help you with the evaluation.

Secure your business

Receive flexible support for your data protection teams and officers in companies and corporations.