Section 7 legitimate uses, decoded.
Not all lawful processing runs on consent. Section 7 carves out a set of legitimate uses where a Data Fiduciary may process personal data without collecting consent at all. Knowing which ground applies — and proving it — keeps you from asking for consent you do not need, or relying on consent you cannot get.
Consent is a basis, not the basis.
Section 7 exists because some processing is necessary and consent is either impractical or beside the point. Forcing a consent flow onto these grounds is its own kind of error.
Where a Section 7 legitimate use applies, consent is not the lawful basis — and you should not collect it, because doing so misrepresents the relationship and creates a consent record you cannot honour a withdrawal against. If processing is necessary for employment, you cannot let an employee "withdraw" consent to payroll. The honest, compliant move is to rely on the correct §7 ground and document it, not to paper over it with a consent tick.
That said, §7 is not a free pass. The processing must still be limited to what the ground actually covers, subject to data minimisation, and recorded — which is the documentation duty we close on.
Each legitimate use, with an example.
Section 7 enumerates specific legitimate uses. Here is each, in operator terms, with where it does and does not stretch.
| Provision | Obligation | Vishwaas module |
|---|---|---|
| Voluntary provision | The Data Principal voluntarily provides data for a purpose and has not indicated they object to its use for that purpose. | Example: a customer hands you their phone number to receive a delivery update — you may use it for that, without a separate consent flow. |
| Employment | Processing necessary for purposes of employment, or to safeguard the employer from loss or liability. | Example: payroll, attendance, provisioning access, and protecting against corporate espionage — employees do not consent to payroll, and cannot withdraw it. |
| State functions & subsidies | Processing by the State or its instrumentalities to provide a subsidy, benefit, service, certificate, licence, or permit. | Example: a government department issuing a benefit uses the data necessary to deliver it under this ground, not consent. |
| Legal obligation / compliance | Processing necessary to comply with a judgment, order, or a legal obligation to disclose information. | Example: producing records in response to a lawful court order or a statutory disclosure requirement. |
| Medical emergency | Processing necessary to respond to a medical emergency involving a threat to life or immediate threat to health. | Example: a hospital accessing a patient's data to treat them when they are unconscious and cannot consent. |
| Health & safety / disaster | Processing to provide medical treatment or health services during an epidemic, outbreak, or threat to public health — or to ensure safety during a disaster or breakdown of public order. | Example: contact tracing during an outbreak, or coordinating relief during a declared disaster. |
| Disaster response | Processing necessary to take measures to ensure safety of, or provide assistance or services to, individuals during a disaster. | Example: a relief agency processing affected-population data to deliver aid during a flood or earthquake. |
Where consent is NOT the lawful basis.
The most expensive §7 mistakes come from blurring the boundary in either direction.
Two failure modes recur. The first is collecting consent where §7 governs — asking an employee to consent to payroll, then facing the impossible position of a consent withdrawal you cannot act on. The second is the mirror image: claiming §7 where it does not reach — using "employment" to justify monitoring that has nothing to do with employment, or stretching "voluntary provision" to cover a purpose the Principal never had in view.
The discipline is to name the precise ground for each processing activity, scope the processing to exactly what that ground supports, and stop there. Marketing to an employee is not employment. Profiling a customer who gave you a number for a delivery update is not voluntary provision for profiling.
The documentation duty.
Relying on §7 removes the consent requirement. It does not remove accountability.
Even where no consent is collected, a Fiduciary must still maintain a record of its processing activities — what data, for what purpose, on which legitimate-use ground, and why that ground applies. When the Board asks why you processed data without consent, "it was a legitimate use" is a claim; a maintained processing-activity register that names the §7 ground for each activity is evidence.
This is why §7 activities belong in a processing-activity register, not in the consent ledger. They are governed differently, proven differently, and audited differently — but they are still governed, proven, and audited.
Map every activity to a lawful basis. Before the Board does.
The free Readiness Gap Analyser helps you separate consent-based from §7 processing and spot where your lawful bases are unclear or undocumented.