5.(1) A data controller or data processor may process data without consent of a data subject if the processing is necessary for any reason set out in section 30(1) (b) of the Act.

(2) Processing under sub-regulation (1) shall only rely on one legal basis for processing at a time, which shall be established before the processing.

(3) The legal basis relied on under sub-regulation (1) shall be demonstrable at all times and where a data controller uses multiple bases for different processing, the data controller shall—

(a) distinguish between the legal bases being used; and

(b) respondtoanydatasubjectrightsrequests.