Legal basis for processing

A legal basis must exist in order for personal data to be processed, except in the rare case of an exemption.

The GDPR does set out a list of possible legal basis, which include:

• Where consent is provided
• Where a legal obligation exists
• Where a contractual obligation exists
• Where it is in the public's interests
• Where legitimate interests of the controller or third party outweighs the rights of the data subject

To obtain consent of a data subject a clear, affirmative action has to be provided. Consent must be:

• Freely given
• Specific
• Informed
• Unambiguous

You are solely responsible for ensuring you have a proper legal basis for collection, storage and processing of personal data you hold about individuals. You should not rely on the ShopWired platform for this.

A proper legal basis also includes keeping evidence of consent where processing is based on consent.

Where personal data includes cookies placed on individual website visitor's computers, consent to those cookies being placed is also the responsibility of the data controller.

It is the ShopWired user that acts as the data controller and so is responsible for ensuring a proper legal basis exists for the processing of personal data about data subjects, not ShopWired itself.