GDPR

Contract as lawful basis

Contract is one of the lawful bases for using personal data. We recommend you use contract or legitimate interests as the lawful basis, rather than consent.

You’re likely to rely on ‘contract’ if you:

  • have a contract with a client and you need to use their personal data to meet the contract’s requirements
  • need to enter into a contract with a client, for example, if they’ve asked you to do something, such as provide a quote

You’ll need to record and tell your client what legal basis you’re using for their personal data. You can’t swap from one legal basis to another.

Processing must be ‘necessary’

You can only use the person’s data if it's ‘necessary’ for your side of the contract.

If you’re using the data for business purposes, you should rely on another lawful basis, such as legitimate interests.

Recording contract

You need to record why you used personal data for the contract. You must also include information about your lawful basis in your privacy notice.

Sensitive data

If the data is sensitive (special category), you’ll also need to meet one of the requirements in Article 9 of the GDPR.

Children

If you have a contract with a child under 18, you need to make sure they’re able to enter into a contract. You may want to rely on legitimate interests to make sure the child’s rights and interests are protected.

Read the ICO’s guidance on children and the GDPR

Data portability

Your client will have the right to data portability. This means they have the right to get their personal data from you in a way that’s accessible and machine readable, for example as a csv file.

They can also ask you to send this data directly to another controller.

Read the ICO’s guidance on data portability