Contract is one of the six legal bases for processing data under GDPR. 

If you have a contract with an individual, and in order to fulfil that contract you need to process their data, then this is a lawful basis. Contract also applies if you do not yet have a legally binding contract, but the individual has taken a ‘first step’ towards it.

For example: someone emails the church and asks for a quote to hire one of the rooms and some equipment. In order to fulfil their request, you will need to hold and process their data; you cannot provide them with the information without doing so. 

The person goes ahead with the hire and signs a contract; again, you need to hold and process their data in order to complete the contract.

However, if you were then to use their contact details to send them a fundraising request, you could not rely on the contract as a legal basis. It only applies to activities directly related to the contract itself.

You will also need to demonstrate that the processing was necessary. For example, if the phone number they gave you does not work, then using the email address they gave you is valid. Googling that email address, finding out their employer and calling them at their place of work is not.

You can read more about it on the ICO website.

Terms and Conditions | Our Privacy Policy | Disclaimer