Guide to Data Protection Act for Data Controllers

Legal basis for processing


At a glance

  • You can rely on this legal basis if you need to process someone’s personal data:
    • to fulfil your contractual obligations to them; or
    • because they have asked you to do something before entering into a contract (e.g. provide a quote).
  • The processing must be necessary. If you could reasonably do what they want without processing their personal data, this basis will not apply.
  • You should document your decision to rely on this legal basis and ensure that you can justify your reasoning.

In brief

What does the DPA say? 

Schedule 2 of the DLP includes a condition for processing of personal data relating to contracts. Paragraph 2 of Schedule 2 says that processing is allowed where: 

Processing necessary for contract

2. The processing is necessary for -

(a) the performance of a contract to which the data subject is a party; or

(b) the taking of steps at the request of the data subject with a view to entering into a contract. 

When can I rely on a contract as a condition for processing?

To rely on this condition for processing, the data subject must be a party to the contract.

If the processing is necessary for the performance of the contract, or in preparation to entering into a contract, you can rely on it. 

When is the legal condition for contracts likely to apply?

 You meet this legal condition for processing if:

  • you have a contract with the individual and you need to process their personal data to comply with your obligations under the contract; or
  • you haven’t yet got a contract with the individual, but they have asked you to do something as a first step (e.g. provide a quote) and you need to process their personal data to do what they ask.

It does not apply if you need to process an individual’s details who is not party to the contract.

It does not apply if you take pre-contractual steps on your own initiative or at the request of a third party. 


An individual shopping around for car insurance requests a quotation. The insurer needs to process certain data in order to prepare the quotation, such as the age and driving history of the individual.

Note that, in this context, a contract does not have to be a formal signed document, or even written down, as long as there is an agreement which meets the requirements of contract law. Broadly speaking, this means that the terms have been offered and accepted, you both intend them to be legally binding, and there is an element of exchange (usually an exchange of goods or services for money, but this can be anything of value). However, this is not a full explanation of contract law, and if in doubt you should seek your own legal advice.

When is processing ‘necessary’ for a contract?      

The processing must be a targeted and proportionate way of achieving the purpose. This legal basis does not apply if there are other reasonable and less intrusive ways to meet your contractual obligations or take the steps requested.

The processing must be necessary to deliver your side of the contract with this particular person. If the processing is only necessary to maintain your business model more generally, this legal basis will not apply and you should consider another legal basis, such as legitimate interests. 


When a data subject makes an online purchase, a controller processes the address of the individual in order to deliver the goods. This is necessary in order to perform the contract.

However, the profiling of an individual’s interests and preferences based on items purchased is not necessary for the performance of the contract and the controller cannot rely on this condition as the legal basis for this processing. Even if this type of targeted advertising is a useful part of your customer relationship and is a necessary part of your business model, it is not necessary to perform the contract itself.

This does not mean that processing which is not necessary for the contract is automatically unlawful, but rather that you may need to look for a different legal basis as a condition for processing. 

What else should you consider?

If the processing is necessary for a contract with the individual, processing is legal on this basis and you do not need to look for a different legal basis.

If processing of sensitive personal data is necessary for the contract, you also need to identify a separate condition for processing this data in Schedule 3. Click here for more on sensitive personal data.

If the contract is with a child under 18, you need to consider whether they have the necessary competence to enter into a contract. If you have doubts about their competence, you may wish to consider an alternative basis such as legitimate interests, which can help you to demonstrate that the child’s rights and interests are properly considered and protected.

If the processing is not necessary for the contract, you need to consider another legal basis such as legitimate interests or consent. Note that if you want to rely on consent you will not generally be able to make the processing a condition of the contract. See more about consent here.

If you are processing on the basis of contract, the individual’s right to object and right not to be subject to a decision based solely on automated processing will not apply. See here for more on automated decision making.

It is best practice to document your decision that processing is necessary for the contract, and include information about your purposes and the legal basis in your privacy notice

Relevant provisions

Data Protection Act (2021 Revision)

Schedule 2, paragraph 2: Legal conditions for processing 

Previous Next