Process planning:Choosing the right legal basis for GDPR

With just over a month to go until GDPR comes into force across Europe, it is becoming the most talked about term in landlord and letting circles up and down the country.

One of the area causing the most confusion is that of the legal bases of processing data.

There are six legal bases to process data within GDPR, all of which are appropriate at different times. But which are most appropriate for a landlords/tenant relationship, and is there a ‘catch all option’ that simplifies your GDPR preparations?

What exactly is a lawful basis for processing?

You are required to process all personal data lawfully, fairly and transparently. The only way you are able to tick all of these boxes is if you have a ‘lawful basis’ to do so.

The regulations understand that depending on your relationship, or contract status with the individual whose data you are processing, you may have a different lawful basis for processing. With this in mind, there are six bases to think about.

No single basis is better than another, but it is important to clarify which basis you are using before you start processing. It is very tricky to change to a different legal basis once you have started without a good reason!

It is important to remember that you must have a valid reason to use the basis you choose, and can justify that the same output could not be achieved without a less intrusive basis. You should document these reasons within our privacy policy.

This sounds confusing. Is this a new thing coming in with GDPR?

No, you have always been required to specify a legal basis for processing, even under the existing Data Protection Act 1998. You have always had to be prepared to clarify why you have chosen that basis, giving a clear reason why it is the most appropriate option.

GDPR does put more emphasis on the need for you to be transparent about the basis you are using through, and to be accountable for that decision.

What are the legal bases for processing?


The ICO website states that this basis can be relied upon to offer people real choice and control over how you use their data, and want to build their trust and engagement. But if you cannot offer a genuine choice, consent is not appropriate. If you would still process the personal data without consent, asking for consent is misleading.

Consent is one lawful basis for processing, and consent (or explicit consent) can also legitimise use of special category data, restricted processing, automated decision-making and overseas transfers of data. Genuine consent should put individuals in control, build customer trust and engagement, and enhance your reputation, however relying on inappropriate or invalid consent could destroy trust and harm your reputation (and may leave you open to large fines).

Consent is not inherently better or more important than the alternatives options, so if consent is difficult, you should consider using an alternative.


The ICO website states that this basis can be relied upon to process someone’s personal data to fulfil your contractual obligations to them or because they have asked you to do something before entering into a contract. The processing must be necessary to deliver your side of the contract with this particular person. If you could carry out proceedings without processing their personal data, this basis will not apply. If the processing is only necessary to maintain your business model generally, this lawful basis will not apply.

Legal obligation:

The ICO website states that this basis can be relied upon if you are reliant on processing the data in order to comply with common law or statutory obligation. However, this does not apply to contractual obligations. The processing must be necessary. If you can reasonably comply without processing the personal data, this basis does not apply. You should document your decision to rely on this lawful basis, and be able to either identify the specific legal provision or an appropriate source of advice or guidance that clearly sets out your obligation, and ensure that you can justify your reasoning.

Legitimate Interest:

The ICO website states that this is the most flexible basis for processing, but not always the most appropriate. If you choose to rely on legitimate interest, you are taking on extra responsibility for considering and protecting people’s rights and interests. Legitimate interest is likely to be most appropriate where you use people’s data in ways they would reasonably expect, and which have a minimal privacy impact, or where there is a compelling justification for the processing.

There are three elements to the legitimate interests basis. It helps to think of this as a three-part test. You need to:

  • identify a legitimate interest;
  • show that the processing is necessary to achieve it; and
  • balance it against the individual’s interests, rights and freedoms.

You must balance your interests against the individual’s. If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interests.

Keep a record of your legitimate interests assessment (LIA) to help you demonstrate compliance if required and make sure to include details of your legitimate interests in your privacy notice.

Vital interests:

The ICO website states that this basis can be relied upon to if you need to process the personal data to protect someone’s life, and you must be able to justify your reasons for this choice.

Public Task:

The ICO website states that this basis can be relied upon to if you need to process personal data:

  • ‘in the exercise of official authority’. This covers public functions and powers that are set out in law; or
  • to perform a specific task in the public interest that is set out in law.

Your underlying task, function or power must have a clear basis in law, and if you could reasonably perform your tasks or exercise your powers in a less intrusive way, this lawful basis does not apply. It is most relevant to public authorities, but it can apply to any organisation that exercises official authority or carries out tasks in the public interest. This is unlikely to apply to may individual landlords, however could be used if the police ever approach you requiring information about a tenant.

Full details of all of the basis are available on the ICO website, here:

Which option is most appropriate for me as a landlord?

It is entirely dependent on the structure of your business as to which basis for processing would be most appropriate for you.
Over the course of a standard tenancy (assuming finding and referencing a tenant, right to rent checks, gas safety checks, spot maintenance etc). However:

Consent: You may wish to utilise this as a ‘catch all’ option should you need to pass data on to other third parties for processing (maintenance etc)

Contract: Covers much of the data processing that you will have to do in order to manage a tenancy agreement, which is a legal contract

Legal obligation: Covers and element of data processing that is legally required of you, such as right to rent checks.

Legitimate interest: Whilst you could choose this option to pass data onto third parties (maintenance etc) you do have to provide additional documentation in order to prove that it is the best basis for processing.

For more information, contact the helpline at the ICO here:

Let my property online from

£99 inc VAT

Let your property

FREE Instant Online Valuation

Instant Valuation

Back to top