Identifying the correct lawful basis for each processing activity is one of the most consequential analytical tasks in a GDPR compliance programme. The basis selected determines which rights data subjects can exercise, what documentation must be maintained, what is communicated in the privacy notice, and whether a change in circumstances can disrupt the processing. Getting it wrong has cascading consequences that are difficult to correct without operational disruption.
This article provides the structured methodology for conducting and documenting lawful basis assessments. It covers the decision framework for each of the six Article 6 bases, the legitimate interests assessment process in detail, the documentation standard that satisfies the accountability principle, and the procedure for managing situations where the basis needs to change.
The Lawful Basis Assessment Process
A lawful basis assessment should be conducted for every distinct processing activity identified in the data mapping exercise. The assessment is conducted per activity, not per data category — the same data category may be processed for different purposes on different bases. Customer email addresses might be processed for service delivery on a contract basis and for marketing communications on a consent or legitimate interests basis. These are two separate processing activities requiring two separate assessments.
LAWFUL BASIS DECISION FRAMEWORK — SEQUENTIAL ANALYSIS
| Step | Question | If Yes | If No |
|---|---|---|---|
| 1 | Is this processing required by EU or member state law? | Basis: Legal obligation (Art. 6(1)(c)). Document the specific legal provision. | Continue to step 2 |
| 2 | Is this processing necessary to perform a contract with the data subject, or at their pre-contractual request? | Basis: Contract (Art. 6(1)(b)). Document the contractual necessity. Verify data subject is party to the contract. | Continue to step 3 |
| 3 | Is this processing necessary to protect someone’s life and no other basis is available? | Basis: Vital interests (Art. 6(1)(d)). Document why other bases are unavailable. | Continue to step 4 |
| 4 | Is this processing by a public authority exercising official functions authorised by law? | Basis: Public task (Art. 6(1)(e)). Document the legal authority. | Continue to step 5 |
| 5 | Does the organisation have a legitimate interest, is processing necessary for it, and do data subjects’ interests not override? | Basis: Legitimate interests (Art. 6(1)(f)). Complete a full LIA and document it. | Continue to step 6 |
| 6 | Has the data subject freely, specifically, and informedly consented to this specific processing? | Basis: Consent (Art. 6(1)(a)). Implement consent infrastructure; maintain consent records. | No valid basis exists. Processing cannot proceed. |
The Legitimate Interests Assessment: Full Methodology
The LIA is the most analytically demanding of the lawful basis assessments. Unlike the other bases, which depend on objectively verifiable conditions (a contract exists; a law requires it), legitimate interests requires a proportionality analysis that balances the organisation’s interests against the data subject’s interests, rights, and freedoms. The EDPB’s draft Guidelines on Legitimate Interests provide the authoritative methodology.
LIA STRUCTURE — THREE STAGES IN DETAIL
| Stage | Key Questions | What to Document |
|---|---|---|
| Stage 1: Purpose test — Is there a legitimate interest? | What is the specific interest being pursued? Is it the controller’s own interest or a third party’s? Is it lawful? Is it sufficiently clear and defined? | The specific interest identified; whether it is the controller’s or a third party’s; the legal permissibility of the interest; why a vague ‘business interest’ is not sufficient |
| Stage 2: Necessity test — Is processing necessary for that interest? | Could the interest be achieved by less intrusive means? Is the processing targeted and proportionate? Is there a clear link between the processing and the interest? | Alternative means considered and why they are inadequate; the link between processing scope and the interest; why the specific data types and subjects are necessary |
| Stage 3: Balancing test — Do data subject interests override? | What is the nature of the data (sensitive/non-sensitive)? What is the reasonable expectation of the data subject? What is the impact of the processing on data subjects? Do safeguards (opt-out, pseudonymisation) reduce the impact? | The data subject’s perspective; reasonable expectations in context; potential negative impact; mitigating safeguards implemented; conclusion and reasoning |
The balancing test is where most LIAs either succeed or fail. A superficial assessment — ‘data subjects would expect this processing’ without analysis — will not withstand DPA scrutiny. The assessment must genuinely engage with the potential negative impact of the processing on data subjects and explain why the organisation’s interests outweigh that impact. Where the impact is significant, robust safeguards must be identified and implemented.
| KEY IDEA | The LIA does not need to conclude that the data subject’s interests are unaffected. It needs to conclude that the controller’s legitimate interest, after applying proportionate safeguards, outweighs the impact on the data subject. A well-constructed LIA that honestly acknowledges some degree of data subject impact and explains why the balance nonetheless favours the controller is more credible — and more defensible — than one that implausibly concludes there is no impact at all. |
Common Legitimate Interests Scenarios
LEGITIMATE INTERESTS — COMMON COMMERCIAL SCENARIOS
| Processing Activity | LI Conclusion | Key Balancing Factors | Safeguards Required |
|---|---|---|---|
| Direct marketing to existing customers for similar products | Typically LI available (soft opt-in rule) | Customer relationship; reasonable expectation; product relevance | Clear opt-out at every communication; suppression list maintained |
| Fraud prevention and security monitoring | Strong LI; data subjects benefit from fraud prevention | Nature of monitoring; extent of data accessed; proportionality | Access limited to security team; strict retention limits; clear policy |
| Intra-group data sharing for HR administration | LI available with care; power imbalance risk | Employee data sensitivity; necessity of sharing; group structure | Documented intra-group data sharing agreement; transparency to employees |
| Network and information security logging | Strong LI; security of all users benefits | Extent of monitoring; data retention period; access controls | Short retention (90 days); access limited; no profiling of individuals |
| Analytics on website visitor behaviour (non-cookie) | LI potentially available; cookie data requires consent | Nature of data; identifiability; user expectations from service | Pseudonymisation or anonymisation; no linkage to identified profiles |
| Soft credit checks / identity verification | LI may be available for fraud prevention purposes | Sensitivity of financial data; impact on data subject if incorrect | Minimal data; short retention; data subject informed; right to object |
Documentation Standard: What Must Be Recorded
The accountability principle requires that the lawful basis assessment for every processing activity be documented before processing begins. The documentation must be sufficient to reconstruct the analysis if challenged by a data subject exercising their right to object, or by a supervisory authority investigating the processing.
LAWFUL BASIS DOCUMENTATION — MINIMUM STANDARD PER BASIS
| Basis | Minimum Documentation |
|---|---|
| Legal obligation | Identification of the specific EU or member state law; the provision imposing the obligation; the scope of processing required by the obligation (no more, no less) |
| Contract | Identification of the contract; the specific processing activities necessary for performance; confirmation that data subject is party to the contract; why alternative means of performance without the data would not work |
| Vital interests | Description of the circumstances; why the data subject cannot consent; why no other basis is available; the nature of the vital interest protected |
| Public task | The legal authority for the task; the specific public task being performed; why processing is necessary for the task |
| Legitimate interests | Full LIA document covering all three stages; identification of the specific interest; necessity analysis; balancing test with conclusion; safeguards implemented; date of assessment; reviewer name |
| Consent | Consent collection mechanism description; consent notice text (version-controlled); per-individual consent records (timestamp, purpose, channel, notice version); withdrawal mechanism; withdrawal log |
Communicating the Basis in the Privacy Notice
Articles 13(1)(c) and 13(1)(d) require the privacy notice to state the purposes of processing and the lawful basis relied on, and — where the basis is legitimate interests — the legitimate interests pursued. This creates a direct link between the internal lawful basis documentation and the external-facing privacy notice: the basis documented internally must match the basis stated in the privacy notice, and the notice must be specific enough that a data subject can understand which basis applies to which processing.
A common failure is a privacy notice that states ‘we process your data on the basis of our legitimate interests’ for all processing, without specifying which processing activities, what those interests are, or which rights therefore apply. This fails the transparency requirement in Article 5(1)(a) and the specific notice requirements in Article 13.
PRIVACY NOTICE — LAWFUL BASIS DISCLOSURE EXAMPLES
| Processing Activity | Inadequate Disclosure | Compliant Disclosure |
|---|---|---|
| Website analytics | ‘We process data for analytics purposes’ | ‘We analyse how visitors use our website to improve our service. The lawful basis is our legitimate interest in understanding user behaviour to enhance our product. You have the right to object to this processing.’ |
| Marketing emails | ‘We may send you marketing communications’ | ‘We send marketing emails to customers who have opted in to receive them. The lawful basis is your consent. You can withdraw your consent at any time by clicking ‘unsubscribe’ in any email.’ |
| Order processing | ‘We use your data to process orders’ | ‘We process your name, address, and payment details to fulfil your order and deliver your purchase. The lawful basis is the performance of a contract with you.’ |
| Employee records | ‘We process employee personal data for HR purposes’ | ‘We process your employment records to manage the employment relationship, including payroll, performance management, and statutory reporting. The lawful bases are contract (employment), legal obligation (tax and employment law), and legitimate interests (HR management).’ |
Managing Basis Changes
The purpose limitation principle and transparency requirements together create a strong constraint on changing the stated lawful basis after processing has begun. The EDPB has stated that it is not possible to retroactively apply a new lawful basis to historical processing. If a basis was wrong when processing began, the historical processing was unlawful. If a basis needs to change going forward — because the original basis no longer applies — a structured process is required.
BASIS CHANGE PROCEDURE
| Scenario | Required Action | Compliance Risk |
|---|---|---|
| Original basis was wrong from the start (e.g., used consent when legitimate interests was more appropriate) | Acknowledge the error; assess whether historical processing was materially harmful; implement correct basis going forward; update privacy notice; consider DPA notification if harm occurred | High if harm caused; manageable if basis switch is transparent and timely |
| Original basis ceases to apply (e.g., contract ends; legal obligation is revoked) | Identify alternative basis if processing should continue; if no alternative, cease processing; delete data if no retention obligation; update privacy notice; notify data subjects | Low if handled promptly and transparently |
| Switching from consent to legitimate interests (e.g., low consent rates) | Cannot be done retroactively. Assess whether LI was always available; if so, communicate change with fresh notice; data subjects must be re-informed and right to object provided | High — data subjects who consented may not expect processing to continue without their consent |
| New processing purpose identified for existing data (purpose extension) | Conduct compatibility assessment under Art. 6(4); if incompatible, new basis required (usually consent); if compatible, document and update privacy notice | Moderate — purpose limitation violation if incompatible processing proceeds without new basis |
Lawful basis documentation is not a one-time exercise. Processing activities change, regulatory guidance evolves, and the EDPB continues to issue guidance on specific bases — particularly legitimate interests — that may require organisations to revisit assessments previously considered adequate. Building a review cycle for lawful basis documentation — triggered by changes in processing activities, new EDPB guidance, or periodic audit — is part of the accountability programme that Article 5(2) requires.
| BITLION INSIGHT | Organisations that invest in documented LIAs for their legitimate interests processing consistently report greater confidence in their compliance position and fewer challenges from data subjects and DPAs. A well-reasoned, honestly balanced LIA that acknowledges the data subject’s perspective — even if it ultimately concludes the balance favours the controller — is a far stronger accountability document than a superficial justification written to support a predetermined conclusion. |