Legal Article - Business Law

Step 6 - Lawful basis for processing personal data

Having completed Step 2 and compiled your list of what data you hold, you need to work out and document the lawful basis on which you process that data. For most of the data held by car dealers and garages, you are likely to use one of the following processing conditions to justify holding and processing the data:

1. consent has been obtained by the data subject
2. processing is necessary for the performance or future performance of  a contract with the data subject 
3. processing is necessary for compliance with a legal obligation
4. you have a legitimate interest in processing the data

For marketing activities, for example sending reminders about a servicing and MOT offer or to advise of a new deal on certain vehicles, you are likely to rely on the consent condition. The consent has to be clear and freely given and so there must be an opt in (as opposed to an opt out) and the consent clause must not be tucked away in other T&Cs. In short, if you want to send out marketing activity, make sure you have a record of where the individual opted in to receive marketing from you.  Do not rely on assurances from third party introducers else you may end up with a £30,000 fine like Carfinance247. 

For employee data, consent to hold information may now not work under the GDPR as there could be seen to be a power imbalance between employer and an employee. In this case, you should be able to rely on processing conditions 2, 3 and 4 as you do need your employee’s information to have a contract of employment with them, you need it to perform your legal obligation to pay tax and NI and you have a legitimate business interest to hold and process such information. 

For sales paperwork and records, you can justify holding and processing this information under processing condition 2 as quite simply, you need their details to enter into a contract with them to buy the car or have the service or repair undertaken. Do think about what information you actually need in these circumstances though as the GDPR has an emphasis on minimalising data processing and so if you never email people, don’t ask for the email address. If you make notes on, for example, the customer’s wife’s or children’s name so you build a rapport with them over time, you will have to rethink how you hold this information as you will not have the consent of the wife to have her name and you will be left arguing that holding her name  falls into the legitimate interest condition which is unlikely to wash if she complains.

In practice, if you do a thorough job at Step 2 and then apply the correct processing condition to all the types of personal data you hold, then you will pretty much be compliant and up and running both from a due diligence point of view and a compliance point of view. 

Published: 11 Aug 2017

Edited: 30 Nov 1999


To ensure you are a real person signing up and to prevent automated signups (spamming) could we ask you to copy the letters and numbers shown below into the box.

(cAse SeNSItivE!)

There are no comments

Share this Article

Related Articles