Can personal data be shared without your permission?

Emily Clemence  29-10-2025

Personal data is one of the most valuable commodities available to companies. It is bought and sold, not always legally, and not always with the consent or knowledge of the individual who is the owner of the data.

 

What is personal data?

Personal data is defined in Article 4.1 of the UK General Data Protection Regulation (UK GDPR) as “‘…any information relating to an identified or identifiable natural person…”. Therefore, personal data can include (but is not restricted to) an address, credit card details and number plates.

Whilst these examples might constitute personal data, organisations may not be restricted from using and sharing this data, even if you have not given your consent for this to occur.

 

On what basis can data be lawfully processed?

Article 6 of the UK GDPR sets out a list of six lawful bases that organisations must abide by, to establish a lawful basis as to why your personal data has been used by them.

The bases are:

  • Consent of the data owner;
  • The right to process data under a contract;
  • That they have a legal obligation to process the data;
  • It is in the vital interests of the data owner for them to do so;
  • They are carrying out a public task by processing the data; or
  • They have a legitimate interest in processing the data. 

 

Consent of the data owner

If an organisation wishes to process your data under this ground, your consent to them processing your data should have been obtained as the result of a “genuine free choice”. You therefore cannot lawfully give your consent by omitting to tick a box for example. Furthermore, the organisation who wishes to process your data, must be clear at the outset about their intentions, and be clear about how your data will be used.

If your data has been used or processed without your consent, this does not necessarily mean the processing was unlawful, if one of the other bases for legally processing data is satisfied. 

 

Processing data under a contract

If using your personal details is deemed necessary to fulfil a contract that you have entered into with an organisation, the organisation may be able to use the lawful basis of contract rule to allow them to process your data.

For example, if you purchase a television from a retail store and have asked for it to be delivered, the store will need your address to deliver your item to you. As this is a necessary step to fulfil the contract and deliver your product, contract lawful basis would be used by the organisation to process your data, and potentially share it with a third party delivery service.

 

Legal obligation to process data

The organisation who holds your personal data, may need to fulfil a legal obligation that may require the sharing of that personal data, in order to comply with the law.

For example, the Proceeds of Crime Act 2002 provides that financial institutions are required to report suspicious activity that may indicate money laundering. Or a more common example would be the sharing of personal data by employers to payroll companies, or to the tax authorities, as they are legally obliged to do so.

 

Vital interest to process personal data

If it is necessary to protect your life or the lives of others, an organisation would be able to rely on the vital interest ground for processing your personal data.

For example, a if colleague has experienced a life-threatening allergic reaction and has fallen unconscious, and the employer has called an ambulance and has given details about the employee’s health to the ambulance crew, the legal basis of vital interest would be used as a justification for the processing of this data, even though it would generally be considered to be very personal.

However, this base would not qualify as a justification for the sharing of personal data if the data subject were physically and legally capable of giving consent for their data to be shared and processed, and have refused to do so.

 

Performing a public task

If sharing personal data is necessary for the performance of a task carried out in the public interest, or if it is processed by the exercise of an official authority, this can be justified by the base of public task performance.

For example, this could be used by a private electricity company who are considered to be carrying out functions of public administration and are exercising their legal powers to carry out utility services in the interest of the public and need the personal details of individuals in order to be able to carry out their public functions.

 

Legitimate interests data processing

An organisation may legally use your data for legitimate business interests. However, you are able to object to the use of your data on this basis.

An example may be if your brother is asked by his employer for contact details of next of kin or someone to contact in the event of an emergency. Your details are given to his employer as your brother would like for you to be his contact. Therefore, it is in the interest of both you and your brother that you are told about what is happening in the event of an emergency. Your details are held by the employer and are only to be accessed in the case of an actual emergency.

 

Has your data been unlawfully processed?

If you believe your information is being used or processed unlawfully, you may be able to bring a claim. 

Whilst you may not need to consent to your data being processed, organisations will be held accountable for the misuse of personal data or improper gain of personal data.

Contact us to speak to one of our experts about how we can help.

data unlawful processing claim lawyers solicitors advice