GDPR for external data: lawful bases, roles and transfers

When an external dataset contains personal data, the GDPR applies to you, not just to the supplier. Getting the basics right at the sourcing stage avoids expensive problems later. This guide explains lawful bases, controller and processor roles, transfers and the role of anonymisation, in practical terms for data buyers.

When does the GDPR apply?

The General Data Protection Regulation (Regulation (EU) 2016/679) applies whenever you process personal data: any information relating to an identified or identifiable person. Much external data is non-personal and falls outside it. But data that can, directly or indirectly, identify someone, including data that becomes identifying when combined with other sets, is in scope. The first sourcing question is therefore simple: does this dataset contain or enable identification of individuals?

Lawful basis

Processing personal data requires a lawful basis. For external data, the most relevant are usually legitimate interests (subject to a balancing test) and, less often, consent or contract. The basis must be identified before processing and documented. Crucially, a supplier’s basis for collecting data does not automatically cover your basis for using it; you need your own.

Controller and processor roles

The GDPR allocates responsibility according to who determines the purposes and means of processing. A buyer who decides why and how data is used is typically a controller; a party processing on the buyer’s instructions is a processor. Sourcing arrangements should make these roles explicit, because they drive obligations, from contracts to breach notification. Where two parties jointly determine purposes, joint-controller arrangements may apply.

Special-category and sensitive data

Some data (health, biometric, ethnicity and similar) is special-category data with stricter conditions. Other contexts (children’s data, location, financial) carry heightened expectations. Sourcing such data demands extra scrutiny of the basis, the safeguards and, frequently, a data protection impact assessment.

International transfers

If personal data moves outside the UK or EEA, transfer rules apply. Lawful routes include adequacy decisions, standard contractual clauses (SCCs) and other safeguards. Sourcing data with a global footprint means confirming where it originates, where it is processed, and which transfer mechanism applies.

Anonymisation and pseudonymisation

Effective anonymisation takes data outside the GDPR’s scope, because individuals can no longer be identified, but the bar is high, and weak anonymisation that can be reversed does not qualify. Pseudonymisation reduces risk but remains personal data. Aggregation and synthetic data are further tools. Choosing the right technique, and evidencing it, is often the difference between a usable dataset and an unusable one.

Documentation buyers need

For regulated and tender-led work, sourcing should produce a clear record: the lawful basis, the roles, the provenance of the data, the licence terms, any transfer mechanism, and the privacy treatment applied. This is precisely the documentation a well-run managed supply process captures as standard.

Legitimate interests: running the balancing test

Legitimate interests is the most common lawful basis for external data, but it is not a free pass, it requires a documented three-part assessment. First, the purpose test: is there a real, specific interest (for example, fraud prevention or market analysis)? Second, the necessity test: is processing this data actually needed for that purpose, or would less data do? Third, the balancing test: do the individuals’ rights and reasonable expectations override your interest? Data acquired from third parties is sensitive here, because individuals often did not provide it to you and may not expect your use. Recording this Legitimate Interests Assessment is part of accountability.

Controller, processor and joint controller in practice

Roles are not labels you choose for convenience, they follow the facts of who decides the purposes and means. A few practical patterns: if you buy a dataset and decide how to use it, you are a controller; if a vendor enriches your data strictly on your instructions, they are typically your processor and need a data-processing agreement; if you and a partner jointly design a shared use, you may be joint controllers and must agree how you split responsibilities. Where a supplier sells the same dataset to many buyers on its own terms, it is usually an independent controller, and a controller-to-controller arrangement applies.

A sourcing compliance checklist

Before acquiring a dataset that may contain personal data, confirm:

• Whether the data is personal, pseudonymous or genuinely anonymous, and on what evidence.
• Your own lawful basis, documented, not inherited from the supplier.
• The controller/processor roles, with the right contract in place.
• Whether special-category data is involved and an additional condition applies.
• Any international transfer and its mechanism.
• The provenance: how the supplier collected the data lawfully and may license it to you.
• Whether a DPIA is required, and retention and deletion terms.

Where buyers most often go wrong

The recurring mistakes are predictable: assuming “publicly available” means free of obligations (it does not); treating pseudonymised data as anonymous; relying on the supplier’s lawful basis instead of establishing your own; and discovering an international transfer only after deployment. Each is avoidable with the checklist above applied at sourcing rather than after.

This article is general information, not legal advice. Confirm obligations for your situation with qualified counsel.

Sources & further reading

• EUR-Lex, Regulation (EU) 2016/679 (GDPR).
• European Data Protection Board (EDPB), guidelines on anonymisation and international transfers.
• European Commission, Standard Contractual Clauses for international data transfers.
• European Commission, The Data Act (Regulation (EU) 2023/2854).