PruAdviser on-line services will be unavailable from 16:00 on Saturday 11 December until 12:30 on Sunday 12 December for website maintenance.
Currently we are not able to show some detailed information for Retirement Account performance for clients. This will be restored on 13 December 2021. We're sorry for any inconvenience this causes.

What legal grounds do you have?

Author Image Nick Hunt Technical Manager, Specialist Business Support
3 minutes read
Last updated on 23rd May 2018


To hold and process personal data, you need to have and document at least two lawful grounds for doing so. Find out what the lawful reasons for holding personal data might be.

Legal Grounds

Doing anything with your clients’ personal data which is non sensitive will rely on you having the ‘legal grounds’ to do so. Below are the six allowable legal grounds to consider. No single basis is more important than another:

  • Necessary for the controller’s legitimate interests – If it’s necessary to use personal information for business purposes

  • Consent – this has to be given freely (you can’t insist upon it in exchange for a service); it has to be specific to how the data is used ; unambiguous (there’s no doubt that consent has been given); and informed (they need to know how you plan to use it before consent can count)

  • Necessary to perform a contract – if you’ve been asked to do something and the use of their personal data is necessary

  • Necessary to compliance of a legal function -  if you’re legally required to do something and need the personal data to do it

  • Necessary to protect vital interests – if it’s in your client’s best interests, such as a medical emergency

  • Necessary to perform a task in the public interest – this could be sharing information with police, security services, etc.

If satisfied that you meet the requirements of legal grounds, you’ll need to document it and take care to get it right first time around (you won’t be able to swap these around at a later stage without good reason). If the purpose changes, you may continue to process the data under the initial lawful basis, provided the new purpose is compatible with the initial purpose.

If you use any form of e-marketing, it’s worth knowing that similar rules apply under the Privacy and Electronic Communications Regulations (PECR). PECR is intended to restrict unsolicited marketing by phone, fax, email, text, or other electronic message.

There are different rules for different types of communication. For example, you’ll need specific consent to send unsolicited direct marketing. The best way to obtain valid consent is to ask customers to tick opt-in boxes confirming they are happy to receive marketing calls, texts or emails from you.

For more information about PECR go to

Special Categories of Personal Data

If processing someone’s personal data which is of a more sensitive nature (commonly referred to as Special Categories of Personal Data), you also need to satisfy one of the following grounds:

  • Explicit consent

  • Necessary for employment law

  • Necessary to protect the subject’s vital interests

  • Legitimate activity of a non-profit organisation or trade union

  • Data is already made public by the data subject

  • Necessary to defend or establish a legal claim

  • Substantial public interest

  • Necessary for preventative or occupational medicine

  • Necessary for public interest in public health

  • Necessary for archiving in the public interest

Examples of Special Categories of Personal Data include:

  • Racial or ethnic origin

  • Political opinion

  • Religious or philosophical beliefs

  • Trade union membership

  • Data concerning health and sexual orientation

  • Genetic data

  • Biometric data for unique ID purposes, such as finger prints etc.

The details of the legal grounds must be captured within your Data Privacy Policy and used to notify your clients about how you use their data. For more on Data Privacy Policy read ‘Data Policy and Notices’.  

Labelled Under:
Government Regulation GDPR

"Prudential" is a trading name of Prudential Distribution Limited. Prudential Distribution Limited is registered in Scotland. Registered Office at Craigforth, Stirling FK9 4UE. Registered number SC212640. Authorised and regulated by the Financial Conduct Authority. Prudential Distribution Limited is part of the same corporate group as the Prudential Assurance Company. The Prudential Assurance Company and Prudential Distribution Limited are direct/indirect subsidiaries of M&G plc, a company incorporated in the United Kingdom. These companies are not affiliated in any manner with Prudential Financial, Inc, a company whose principal place of business is in the United States of America or Prudential plc, an international group incorporated in the United Kingdom.