Lawfulness of Processing

The six options for a GDPR lawful basis are consent, performance of a contract, compliance with a legal obligation, protection of vital interests, performance of a public task, and legitimate interests.

To know how to choose lawful basis under GDPR Article 6, organizations must evaluate the specific purpose and context of the processing before data collection begins. The choice depends on the relationship with the individual, whether a contract is involved, and the specific operational requirements.

When evaluating consent vs legitimate interests GDPR Article 6(1)(f), consent requires a freely given, specific, and unambiguous opt-in from the user. Conversely, legitimate interests rely on the organization's valid operational needs, provided they do not override the individual's fundamental privacy rights.

The contractual necessity lawful basis GDPR Article 6(1)(b) applies when processing is objectively necessary to deliver the core service promised in a contract with the individual, or to take requested steps prior to entering into one.

A legitimate interests assessment (LIA) GDPR template is used to document a three-part test: identifying a legitimate interest, demonstrating the processing is necessary to achieve it, and balancing it against the individual's rights. It is strictly required whenever relying on Article 6(1)(f).

No, you generally cannot change lawful basis after collecting data GDPR. Changing the basis retroactively violates the core principles of transparency and fairness; the lawful basis must be established and communicated before processing begins.

No, consent is just one of six options. Organizations can rely on other bases, such as the GDPR lawful basis for employee data processing (often contract or legal obligation) or the GDPR lawful basis for marketing emails B2B and B2C (often legitimate interests or consent), depending on the specific context.

To fully address how to document lawful basis in RoPA and privacy notice, organizations must maintain an up-to-date Record of Processing Activities (RoPA) that maps every specific data process to its exact lawful basis, alongside documented LIAs where applicable. Tools like WatchDog Security's Compliance Center can help maintain this mapping as structured evidence and highlight gaps during periodic reviews.

Under GDPR Article 13 and 14, organizations must explicitly state the specific purposes of the processing and the corresponding legal basis within their public privacy policy or privacy notice at the exact time the personal data is collected.

If you wonder what happens if there is no lawful basis under GDPR, the processing is deemed fundamentally unlawful. This can result in severe enforcement actions, including orders to cease processing, data deletion mandates, and administrative fines up to 20 million EUR or 4% of global turnover.

Article 6 compliance often fails when lawful basis decisions live in emails or spreadsheets and drift from actual processing. Tools like WatchDog Security's Compliance Center can centralize lawful-basis mappings as control evidence, flag missing documentation (e.g., no LIA when using legitimate interests), and support ongoing reviews through structured workflows.

LIAs require consistent documentation of purpose, necessity, and balancing tests, plus a clear approval trail for audit readiness. Tools like WatchDog Security's Risk Register can track each LIA as a risk decision with owners, review dates, and linked mitigations, while WatchDog Security's Policy Management can manage the underlying templates and capture approvals and attestations.