You are here:
  1. Home
  2. Support services
  3. Practice management
  4. GDPR
  5. Contract as lawful basis

Contract as lawful basis

Posted: 7 August 2019

Contract is one of the lawful bases for using personal data. We recommend you use contract or legitimate interests as the lawful basis, rather than consent.

You’re likely to rely on ‘contract’ if you:

  • have a contract with a client and you need to use their personal data to meet the contract’s requirements
  • need to enter into a contract with a client, for example, if they’ve asked you to do something, such as provide a quote

You’ll need to record and tell your client what legal basis you’re using for their personal data. You can’t swap from one legal basis to another.

Processing must be ‘necessary’

You can only use the person’s data if it's ‘necessary’ for your side of the contract.

If you’re using the data for business purposes, you should rely on another lawful basis, such as legitimate interests.

Recording contract

You need to record why you used personal data for the contract. You must also include information about your lawful basis in your privacy notice.

Sensitive data

If the data is sensitive (special category), you’ll also need to meet one of the requirements in Article 9 of the GDPR.


If you have a contract with a child under 18, you need to make sure they’re able to enter into a contract. You may want to rely on legitimate interests to make sure the child’s rights and interests are protected.

Read the ICO’s guidance on children and the GDPR

Data portability

Your client will have the right to data portability. This means they have the right to get their personal data from you in a way that’s accessible and machine readable, for example as a csv file.

They can also ask you to send this data directly to another controller.

Read the ICO’s guidance on data portability

> Next section: LPP and client confidentiality


professional development centre
GDPR for managers: an introduction

New online course, GDPR for managers featuring downloadable checklists and valuable resources from the Law Society and ICO.

GDPR for managers: an introduction > More