Dashboard
Dashboard Make a document Ask a lawyer Get guidance Home
Dashboard Member settings
Logout
Help
Help Contact us
Explore
Make documents Ask a lawyer Start a business new Sign documents Get guidance About us Pricing
Sign up Sign in
Help
Help Contact us

Processing personal data

8 min read

Last reviewed or updated 12/01/2026

Written and reviewed by experts
Written and reviewed by experts
This guide was created, edited, and reviewed by editorial staff who specialise in translating complex legal topics into plain language.

Make your GDPR documents

Get started

What is data processing?

Infographic answering the question of what data processing is

'Processing' is any use of personal data (eg names and addresses), other than for personal reasons. It includes:

  • obtaining personal data

  • recording personal data

  • storing personal data

  • organising personal data

  • retrieving personal data

People who process personal data can either be 'data controllers' or 'data processors'. 

What is a data controller?

Infographic defining what a data controller is

The data controller is the main decision-maker. They decide on the purposes for and means of processing personal data. In other words, the data controller is the entity (eg organisation or person) that says how and why personal data is processed.

A data controller can delegate personal data processing to a data processor. However, ultimate responsibility for ensuring the safety of the personal details remains with the data controller.

Examples of data controllers include:

What is a joint controller?

Infographic defining what a joint data controller is

Data controllers can determine the purposes and means of processing either alone or together with others. If the latter is the case, the data controllers are referred to as ‘joint controllers’.

Joint controllers share responsibility for determining the purposes and means of processing personal data. Joint data controllers are joint controllers because they have the same or shared purposes.

Data controllers will not be joint controllers if they are processing the same personal data for different purposes.

What is a data processor?

Infographic defining what a data processor is

A data processor carries out the instructions of the data controller in its processing of personal data. In other words, the data processor is the entity that acts on behalf of, and only on the instructions of, the data controller. 

Data processors, like data controllers, must ensure the security of any personal data they process. However, data processors only process personal data on behalf of the data controller.

Examples of data processors include:

Data controllers will generally enter into Data processing agreements with data processors to provide clear instructions about the processing of personal data

What are sub-processors?

Infographic defining what a data sub-processor is

A sub-processor (or ‘data sub-processor’) is a third-party entity engaged by a data processor to process personal data on behalf of the data controller. In other words, another party that a data processor engages to help it process certain personal data under the authority of the data controller. Sub-processors may, for example, be engaged to:

  • process (eg sort) personal data on the data processor’s behalf

  • store personal data  (eg in cloud-based storage systems) for the data processor

A sub-processor operates under the authority of the data processor and is subject to the same data protection obligations as the data processor. This means that sub-processors need to comply with all relevant data protection obligations. The data processor is fully liable to the controller for the sub-processor’s compliance with data protection obligations. In other words, if a sub-processor doesn’t comply with its legal obligations, the data controller can hold the data processor liable for the sub-processor’s failures.

Note that data processors require the data controller’s written authorisation to appoint sub-processors. 

If you need help determining whether you’re a data controller or processor, do not hesitate to Ask a lawyer

Infographic showing the parties involved in data processing

When can personal data be processed?

Organisations require a lawful basis (also known as a  ‘lawful ground’) to process any personal data. This means that organisations must have a valid reason for processing any particular personal data. The GDPR and DPA set out six lawful bases (or ‘grounds’) under which personal data can be processed. 

If personal data is processed by an organisation that does not have a lawful basis for doing so, this amounts to a breach of data protection law. This can result in severe consequences (eg large fines). For more information, read Complying with the GDPR.

What are the lawful grounds for processing personal data?

Organisations can only process personal data if one (or more) of the following six grounds is met:

Consent

Data controllers can obtain the consent of data subjects (ie the individuals to whom the personal data relates) to process their personal data. Consent must be:

  • freely given

  • specific

  • informed

  • unambiguous, and

  • as easy to withdraw as it was to provide

Consent can be given by way of a statement or affirmative action (ie a clear opt-in). This means that organisations must not rely on pre-ticked opt-in boxes.

The burden of proof lies with the data controller, who must show that consent was validly obtained. As such, a data controller should regularly confirm, review, and update consent.

For more information, read Consent for GDPR.

Performance of a contract

This ground for processing should be used if the processing is necessary for the performance of a contract or where it is necessary in order to ‘take steps’ at the request of the data subject before entering into the contract (eg providing a quote). 

When relying on this ground, the processing must be necessary. This means that this ground cannot be used if the organisation could achieve its goal by processing less personal data or using personal data in a less intrusive way.

 

Compliance with a legal obligation

This ground for processing applies where personal data is processed in order to comply with a specific legal obligation. The obligation does not have to be required by legislation or statute, but it must be clear, having regard to the laws of the UK. 

For example, employers may be required to process certain health-related data to comply with their health and safety duties.

When relying on this ground, the processing must be necessary. This means that this ground cannot be used if an organisation can reasonably comply with its legal obligation without the data processing.

Vital interests of the data subject

This ground applies if the processing is required to protect the vital interests of the data subject or another individual.

Vital interests include interests essential for the life of the data subject (eg when providing information to paramedics who are assisting someone who is unconscious) or processing data for humanitarian purposes and, in particular, cases where a disaster has struck.

When relying on this ground, the processing must be necessary. This means that this ground cannot be used if an organisation can protect the person’s vital interests in another less intrusive way.

Public interest

This ground applies if the processing is necessary for performing a task that is in the public interest or in the exercise of official authority vested in the data controller. For example, a local authority uses personal data to collect council tax. 

This ground cannot be relied on by an organisation that can reasonably perform its tasks or exercise its powers in a less intrusive way.

Legitimate interests of the data controller

This ground applies if the processing is necessary for legitimate interests pursued by the data controller or by a third party, as long as the processing does not override the fundamental rights and freedoms of the data subject (eg processing of network and information security for the prevention of fraud). Legitimate interests can include commercial interests, individual interests, or broader societal benefits.

Public authorities and any party dealing with children (as a child's interests always override the interests of a data controller) cannot rely on this ground.

If a data controller wishes to rely on the legitimate interests ground, they must conduct a Legitimate interests assessment (LIA). An LIA is used to identify:

  • what the legitimate interest is

  • the benefits of processing the personal data in this way

  • whether such processing is necessary

This means that the data controller must carry out a balancing exercise, in which they must demonstrate whether the legitimate interest being relied upon outweighs the data subjects’ legitimate interests and rights. For more information, read Legitimate interest assessments.

Checklist infographic listing the 6 lawful bases for data processing

For more information on the grounds for processing, see the ICO’s guidance on the lawful bases for processing

How can I determine which lawful basis for processing applies?

Organisations need to determine which lawful basis applies to their processing of personal data. This will depend on their specific purposes and the context of the processing. More than one basis for processing may apply, and if this is the case, all bases must be identified and documented from the start. 

When determining which lawful basis for processing applies, organisations must not adopt a one-size-fits-all approach; no one ground for processing will always be better, safer, or more appropriate, and there is no hierarchy set out in the GDPR. 

Some bases align with specific purposes (eg a legal obligation or the performance of a contract). Organisations processing personal data for specific purposes that align with specific bases should consider these bases first. If none of these more specific grounds apply, organisations should consider whether the more flexible grounds of consent or legitimate interest apply. This will involve assessing the wider context of the processing, for example, by considering:

  • who benefits from the processing

  • whether data subjects would expect this type of processing

  • the relationship the data controller has with data subjects (including whether the data controller is in a position of power over them)

  • whether data subjects are vulnerable

If you need help determining your lawful basis for processing, you can use the ICO’s lawful basis web tool. Alternatively, consider using our GDPR compliance service.

Do special rules apply to special category personal data and criminal offence data?

Special category personal data (also referred to as ‘sensitive personal data’) is personal data that is awarded more protection due to its sensitive nature. Examples of special category data include information about someone’s health (mental or physical) or their sexual life. 

Criminal offence data is data relating to criminal convictions and offences or related security measures. Due to its sensitive nature, it is also awarded greater protection under the GDPR

When processing involves special category personal data and/or criminal offence data, the organisation processing it must meet further conditions for processing in addition to identifying a lawful basis. This will often involve a Data protection impact assessment (DPIA) being carried out.

For more information, read Data protection impact assessments, Compliance for DPIAs, and Criminal offence data for DPIAs. 

 

If you have any questions or concerns about processing personal data, do not hesitate to Ask a lawyer. Consider using our GDPR compliance service to ensure that your business complies with all applicable data protection laws and obligations.

Written and reviewed by experts
Written and reviewed by experts
This guide was created, edited, and reviewed by editorial staff who specialise in translating complex legal topics into plain language.

At Rocket Lawyer, we believe legal information should be both reliable and easy to understand—so you don't need a law degree to feel informed. We follow a rigorous editorial policy to ensure all our content is helpful, clear, and as accurate and up-to-date as possible.

About this page:

  • this guide was written and reviewed by Rocket Lawyer editorial staff
  • this guide was last reviewed or updated on 12 January 2026

Related Guides

Data protection

8 min read

Information security and cyber security

7 min read

Run a business online checklist

3 min read

Ask a lawyer

Get quick answers from lawyers, easily.
Characters remaining: 600
Rocket Lawyer Legal Pros

Try Rocket Lawyer FREE for 7 days

Get legal services you can trust at prices you can afford. As a member you can:

Create, customise, and share unlimited legal documents

RocketSign® your documents quickly and securely

Ask any legal question and get an answer from a lawyer

Have your documents reviewed by a Legal Pro

Get legal advice, drafting and dispute resolution HALF OFF* with Rocket Legal+

Your first business and trade mark registrations are FREE* with Rocket Legal+

Try it free for 7 days
*Learn more about Rocket Legal+

**Subject to terms and conditions.

Follow us