Lawful Basis for Processing

A lawful basis is the specific legal justification required by Rule V, Section 21 of the IRR that an organization must establish before collecting or using any personal data.

The criteria include consent, fulfillment of a contract, legal obligation, protection of vital interests, response to national emergency, public authority mandates, and legitimate interests.

No, consent is not always required. Processing is lawful if it meets any of the other alternative criteria, such as performing a contract or complying with a legal obligation.

An organization can process data without consent when fulfilling a contractual obligation with the data subject, complying with laws, protecting vital interests, or pursuing a valid legitimate interest.

Consent requires the data subject's explicit, informed agreement, whereas legitimate interest allows processing based on a compelling organizational benefit that doesn't override the subject's fundamental rights.

Organizations should comprehensively map their data flows and document the specific lawful basis assigned to each processing activity within their official Record of Processing Activities (RoPA). Tools like WatchDog Security's Compliance Center can help maintain evidence and control status for those lawful-basis mappings.

Consent must be a freely given, specific, informed indication of will, obtained prior to processing, and evidenced by written, electronic, or recorded means.

Yes, Section 21(b) permits processing if it is necessary to fulfill obligations under a contract to which the data subject is a party, or to take steps prior to entering a contract.

A privacy notice must transparently explain the purpose of the data collection and explicitly identify the lawful criteria (e.g., consent, contract) relied upon for each processing activity. Tools like WatchDog Security's Policy Management can help track notice versions, review cycles, and approval history.

Teams prove compliance by presenting an updated RoPA, verifiable consent management logs, documented Legitimate Interest Assessments, and fully transparent privacy policies.

Lawful basis decisions are difficult to defend when they are scattered across spreadsheets, privacy notices, and application owners' notes. Tools like WatchDog Security's Compliance Center can help centralize control mapping, evidence collection, and gap tracking so teams can connect processing activities to documented lawful criteria.

A common issue is that privacy notices, internal procedures, and consent records drift apart as products and vendors change. Tools like WatchDog Security's Policy Management can support version control, review workflows, and acceptance tracking for the policies that explain how lawful basis and consent are handled.