What are the lawful bases for processing the personal data? #GDPR

Article 6 of the GDPR sets out how personal data may be processed lawfully:

‘Article 6 Lawfulness of processing

1. Processing shall be lawful only if and to the extent that at least one of the following applies:

(a)    The data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(b)    Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(c)     Processing is necessary for compliance with a legal obligation to which the controller is subject;

(d)    Processing is necessary in order to protect the vital interests of the data subject or of another natural person;

(e)    Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f)     Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks. 


Category 1(b) (c) (d) and (e) are all likely to apply in certain circumstances, but the most appropriate is likely to be 1(c) – the terms of service for NHS pharmacies and 1(e) – for all pharmacies. The provision of pharmaceutical services by pharmacy businesses is carried out in the public interest, both within the NHS and in the private sector.

By a quirk of legislation (unless this is reversed in the UK legislation accompanying the GDPR) pharmacy contractors with the NHS are considered to be public authorities and, therefore, cannot use lawful processing category 1(f) for the provision of pharmaceutical services. 

Please note there is another hurdle or consideration if you want to process special categories of personal data lawfully.

View our GDPR page for more information