Guide to Data Protection Act for Data Controllers

Legal basis for processing

Legal obligation

At a glance

  • You can rely on this condition if you need to process the personal data to comply with a common law or statutory obligation.
  • This does not apply to contractual obligations.
  • The processing must be necessary. If you can reasonably comply without processing the personal data, this condition does not apply.
  • You should be able to either identify the specific legal provision or an appropriate source of advice or guidance that clearly sets out your legal obligation to process the personal data.

In brief

What does the DPA say? 

Paragraph 3 of Schedule 2 of the DPA provides a legal basis for processing where: 

Processing under legal obligation

3. The processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract.

When is the condition for legal obligation likely to apply?

This condition can be relied upon when you are legally obliged to process the personal data to comply with the Act.

The DPA does not specify this, but it is assumed that the law being relied upon must be applicable in the Cayman Islands. However, this does not have to be an explicit statutory obligation, as long as the application of the Act is foreseeable to those individuals subject to it. As such, it includes clear common law obligations.

This does not mean that there must be a legal obligation specifically requiring the specific processing activity. The point is that your overall purpose must be to comply with a legal obligation which has a sufficiently clear basis in either common law or statute.

You should be able to identify the obligation in question, either by reference to the specific legal provision or else by pointing to an appropriate source of advice or guidance that sets it out clearly. For example, you can refer to a government website or to industry guidance that explains generally applicable legal obligations. 


An employer needs to process personal data to comply with its legal obligation to disclose employee salary details to the Economics & and Statistics Office of the Cayman Islands (“ESO”).

The employer can point to the ESO website where the requirements are set out to demonstrate this obligation. In this situation it is not necessary to cite each specific piece of legislation. 


A financial institution relies on the legal obligation imposed by Part IV of the Anti-Money Laundering Regulations to process personal data in order to undertake customer due diligence, and report suspicious activity to prevent money laundering.  


A court order may require you to process personal data for a particular purpose; this also qualifies as a legal obligation. 

Mandatory regulatory requirements also qualify as a legal obligation, provided there is a statutory basis underpinning the regulatory regime.

A contractual obligation does not comprise a legal obligation in this context. You cannot contract out of the requirement for a legal basis for processing. However, you can look for a different legal basis. If the contract is with the individual you can consider the legal basis for contracts. For contracts with other parties, you may want to consider legitimate interests. 

When is processing ‘necessary’ for compliance?

The processing must be a targeted and proportionate way of achieving compliance. You cannot rely on this legal basis for processing if you have discretion over whether to process the personal data, or if there is another reasonable way to comply.

It is likely to be clear from the law in question whether the processing is actually necessary for compliance. 

What else should you consider?

If your processing is based on a legal obligation, the right to stop processing (section 10 of the DPA) does not apply. Read our guidance on individual rights for more information.

Remember to:

  • document your decision that processing is necessary for compliance with a legal obligation;
  • identify an appropriate source for the obligation in question; and
  • include information about your purpose(s) in your privacy notice. Information on the legal basis of processing is not required but it is best practice to include it. 

Relevant provisions

Data Protection Act (2021 Revision)

Schedule 2, paragraph 3:Legal conditions for processing

Previous Next