Last review date: 31 December 2024
The legal basis would be either notification or consent, but it is not necessary to specifically identify the legal basis.
The PDPO is primarily a notification-based regime. Consent is only required where the data user seeks to use personal data for a "new purpose" outside the scope of the initial notification, or in relation to direct marketing (please refer to the "Direct Marketing" section).
The following are potential legal bases for processing personal data:
- appropriate notice has been provided to or made available to the data subject
- the data subject has provided consent to the processing for the identified purposes
- other
There are exemptions to the requirement of consent.
For example, personal data used for the purpose of (i) prevention or detection of crime; (ii) apprehension, prosecution or detention of offenders; (iii) prevention, preclusion or remedying (including punishment) of unlawful or seriously improper conduct, or dishonesty or malpractice; (iv) prevention or preclusion of significant financial loss arising from (a) any imprudent business practices or activities or (b) unlawful or seriously improper conduct, or dishonesty or malpractice, are exempted from the requirement of consent if its application would be likely to prejudice any of the above matters.
Last review date: 31 December 2024
No
There is no statutory concept of sensitive data under the PDPO.