What are the primary lawful bases for processing Visitor and Contractor data under GDPR?

Primary lawful bases (most applicable)

1. Legal obligation (Article 6(1)(c)) — Core basis

You may process contractor data where it is necessary to comply with a legal obligation.

Typical site-use cases

Maintaining sign-in / sign-out records
Recording permit to work (PTW) issue and handback
Demonstrating H&S compliance (e.g. CDM Regulations, HSWA 1974)
Emergency roll calls and incident investigation
Statutory accident and near-miss records

Why this applies
UK health & safety law requires organisations to:

Know who is on site
Control hazardous work
Retain evidence of compliance

Consent is not required and not appropriate here.

2. Legitimate interests (Article 6(1)(f)) — Operational safety & security

You may process contractor data where it is necessary for your legitimate interests, provided those interests are not overridden by the individual’s rights.

Typical site-use cases

Site access control and security
Contractor induction records
Competency and certification checks
Key management and asset tracking
Audit trails within systems like SafeWorks / SkyVisitor

Key requirement
You must:

Document a Legitimate Interests Assessment (LIA)
Demonstrate necessity and proportionality
Offer transparency via a privacy notice

3. Contract performance (Article 6(1)(b)) — Often secondary

Applies where processing is necessary to perform a contract with the contractor or their employer.

Examples

Contact details to coordinate work
Verifying identity against a work order
Recording attendance for contractual reporting

This is usually supplementary, not the primary basis for site safety systems.

Special category data (if applicable)

If you process special category data (Article 9) — e.g.:

Medical fitness or restrictions
Drug & alcohol test results
Disability-related adjustments

You need both:

A lawful basis under Article 6 and
A special condition under Article 9

Common Article 9 conditions

Employment, social security & social protection law (Art. 9(2)(b))
→ Fitness-for-work and statutory H&S requirements
Public interest in public health (Art. 9(2)(i))
→ Rare, but applicable in regulated environments
Explicit consent (Art. 9(2)(a))
→ Only if truly optional and freely given (often not valid on site)

What is not appropriate in most cases

Consent (Article 6(1)(a))
Contractors are in a position of imbalance of power. Regulators consistently state consent is usually invalid for site access, safety, or compliance data.

Data minimisation & retention (critical for compliance)

Regardless of lawful basis, you must:

Collect only what is necessary
Define and document retention periods, e.g.:
- Sign-in logs: 6–24 months (unless incident-related)
- PTW records: aligned to H&S audit cycles
- Incident records: per statutory limitation periods
Restrict access to authorised personnel
Provide contractors with a clear privacy notice

What is not appropriate in most cases

Consent (Article 6(1)(a))
Contractors are in a position of imbalance of power. Regulators consistently state consent is usually invalid for site access, safety, or compliance data.

Data minimisation & retention (critical for compliance)

Regardless of lawful basis, you must:

Collect only what is necessary
Define and document retention periods, e.g.:
- Sign-in logs: 6–24 months (unless incident-related)
- PTW records: aligned to H&S audit cycles
- Incident records: per statutory limitation periods
Restrict access to authorised personnel
Provide contractors with a clear privacy notice

Recommended lawful basis mapping (best practice)

Data type	Lawful basis
Site check-in / out	Legal obligation
Permit to Work records	Legal obligation
Emergency roll call	Legal obligation
Keys / asset tracking	Legitimate interests
Induction & competence	Legitimate interests
Contact details	Contract performance
Medical fitness (if any)	Legal obligation + Art. 9(2)(b)