Implementing Lawful Basis Assessment

Implementing Lawful Basis Assessment

Overview

Every processing activity under GDPR must have a valid lawful basis established before processing begins. Article 6(1) provides six mutually non-exclusive bases. Selecting the wrong basis creates compliance risk, may invalidate the processing entirely, and can result in enforcement action. This skill provides a systematic methodology for evaluating and documenting the appropriate lawful basis.

The Six Lawful Bases — Art. 6(1)

(a) Consent

The data subject has given consent to the processing of their personal data for one or more specific purposes.

Requirements per Art. 7 and Recital 32:

• Freely given: genuine choice, no imbalance of power, no conditionality (Art. 7(4))
• Specific: granular consent for distinct processing purposes
• Informed: clear plain language about identity, purpose, data types, rights
• Unambiguous: clear affirmative action (no pre-ticked boxes, no silence)
• Withdrawable: as easy to withdraw as to give (Art. 7(3))

Best suited for: Marketing communications, cookies/tracking, research participation, sharing data with third parties for their own purposes.

Not appropriate when: There is a power imbalance (employer-employee, public authority-citizen), processing is necessary for another basis, or withdrawal would be impractical.

(b) Contract Performance

Processing is necessary for the performance of a contract to which the data subject is party, or to take steps at the data subject's request prior to entering into a contract.

Key test: Would the contract be impossible to perform without this specific processing? The processing must be objectively necessary, not merely useful or standard practice.

Best suited for: Delivering purchased goods, processing payments, providing contracted services, pre-contractual enquiries at the data subject's request.

Not appropriate when: Processing is useful but not necessary for the contract (e.g., profiling customers is not necessary to deliver their order).

(c) Legal Obligation

Processing is necessary for compliance with a legal obligation to which the controller is subject.

Requirements:

• The obligation must be laid down by EU or Member State law (not contractual obligations)
• The law must be sufficiently clear about the processing required
• The processing must be limited to what is necessary to comply

Best suited for: Tax reporting, employment law obligations, anti-money laundering checks, regulatory reporting, court orders.

(d) Vital Interests

Processing is necessary to protect the vital interests of the data subject or of another natural person.

Requirements:

• Relates to life-or-death situations or serious medical emergencies
• Cannot be used if another lawful basis is available (Recital 46)
• Very narrow scope in practice

Best suited for: Emergency medical treatment for unconscious patients, disaster response, humanitarian crises.

(e) Public Task

Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Requirements:

• Must have a basis in EU or Member State law
• The specific task or function must be defined in law
• Primarily applies to public authorities and bodies

Best suited for: Public administration, law enforcement, statutory functions of public bodies, public health monitoring.

(f) Legitimate Interests

Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

Requirements (three-part test):

1. Purpose test: Is there a legitimate interest? (commercial, societal, or individual)
2. Necessity test: Is the processing necessary for that interest? (no less intrusive alternative)
3. Balancing test: Do the data subject's interests override the controller's?

Best suited for: Fraud prevention, network security, direct marketing to existing customers, intra-group administrative transfers, internal analytics.

Not available to: Public authorities in the performance of their tasks (Art. 6(1) final paragraph).

Decision Tree for Lawful Basis Selection

Step 1: Is the processing required by law?

• YES → Art. 6(1)(c) Legal Obligation. Identify the specific law and provision.
• NO → Proceed to Step 2.

Step 2: Is the processing necessary to perform a contract with the data subject?

• YES → Art. 6(1)(b) Contract Performance. Verify objective necessity (not just convenience).
• NO → Proceed to Step 3.

Step 3: Is this a life-threatening or medical emergency?

• YES → Art. 6(1)(d) Vital Interests. Document why no other basis applies.
• NO → Proceed to Step 4.

Step 4: Is the controller a public authority performing a statutory function?

• YES → Art. 6(1)(e) Public Task. Identify the legal basis for the task.
• NO → Proceed to Step 5.

Step 5: Does the controller have a legitimate interest that requires this processing?

• YES → Conduct a Legitimate Interest Assessment (three-part test).
  • If the LIA concludes the controller's interest is not overridden → Art. 6(1)(f).
  • If the LIA concludes the data subject's rights prevail → Consider consent or do not process.
• NO → Proceed to Step 6.

Step 6: Can the data subject provide valid consent?

• Verify: no power imbalance, genuine choice, specific purpose, can withdraw without detriment.
• YES → Art. 6(1)(a) Consent. Implement compliant consent mechanism.
• NO → Processing may not have a valid lawful basis. Do not proceed. Consult the DPO.

Documentation Requirements

For each processing activity, document:

1. Processing activity name and RoPA reference: Link to the Art. 30 record.
2. Selected lawful basis: Cite the specific Art. 6(1) paragraph.
3. Rationale: Explain why this basis was selected and why alternatives were rejected.
4. Necessity analysis: Demonstrate why the processing is necessary for the stated basis (not merely useful).
5. Supporting evidence: Reference the specific law (for legal obligation), contract (for contract performance), LIA (for legitimate interest), or consent mechanism (for consent).
6. Special category data: If Art. 9 data is involved, identify the additional Art. 9(2) condition.
7. Criminal offence data: If Art. 10 data is involved, confirm the specific authorisation in EU/Member State law.
8. Review date: Set the next review date (recommended: annually or upon material change).

Common Assessment Errors

1. Defaulting to consent: Using consent when another basis is more appropriate, creating unnecessary withdrawal risk.
2. Stretching contract performance: Claiming processing is necessary for a contract when it is merely beneficial (e.g., profiling for cross-selling is not necessary to fulfil a purchase order).
3. Citing non-existent legal obligations: Referencing industry standards or contractual requirements as "legal obligations" when they do not constitute EU or Member State law.
4. Ignoring the necessity test: Selecting a basis without demonstrating that the specific processing is necessary (not just the purpose).
5. Switching bases post-hoc: Changing the lawful basis after processing has begun when the original basis fails, without valid justification.
6. Overlooking power imbalances: Relying on employee consent for workplace processing where genuine free choice is absent.

Integration with Other GDPR Requirements

• Transparency (Art. 13/14): The lawful basis must be communicated to data subjects in the privacy notice.
• Data subject rights: The lawful basis determines which rights are available (e.g., right to erasure is limited where legal obligation applies; right to data portability only applies to consent and contract).
• RoPA (Art. 30): The lawful basis should be recorded alongside each processing activity.
• DPIA (Art. 35): High-risk processing may require a DPIA regardless of which lawful basis is selected.