GRCWatch
Sign inStart free trial

GDPR Article 6: Identify and Document Lawful Basis for Processing

Every data processing activity must have a documented lawful basis under GDPR Article 6, or your organization faces substantial fines. This control requires you to map each processing activity to one of six lawful bases and, for legitimate interests, conduct a formal Legitimate Interests Assessment (LIA). Without clear documentation, regulators will assume your processing is unlawful.

What this means

Article 6 of the GDPR requires organizations to establish and document a valid legal ground before processing personal data. The six lawful bases are: consent (explicit opt-in), contract (processing necessary to fulfill an agreement), legal obligation (compliance with law), vital interests (protecting someone's life or health), public task (performing official duties), and legitimate interests (your business needs, balanced against individual rights). For legitimate interests processing, you must complete a Legitimate Interests Assessment documenting why processing is necessary, why individuals would reasonably expect it, and why your interests outweigh their privacy rights.

How to comply

  1. 1.Map each data processing activity to one of the six lawful bases (consent, contract, legal obligation, vital interests, public task, or legitimate interests)
  2. 2.Document the lawful basis selection in your Records of Processing Activities (ROPA) or data inventory
  3. 3.For consent-based processing, ensure opt-in mechanisms are affirmative and freely given, with clear withdrawal procedures
  4. 4.For contract-based processing, verify that processing is genuinely necessary to perform the agreement
  5. 5.For legal obligation or public task, document the specific law or public mandate requiring processing
  6. 6.For vital interests processing, document life-or-death circumstances justifying the activity
  7. 7.For legitimate interests processing, conduct and document a formal Legitimate Interests Assessment (LIA) that evaluates necessity, reasonable expectations, and interest balancing
  8. 8.Review and update lawful basis documentation annually or whenever processing activities change
  9. 9.Train data handlers to understand the lawful basis for their specific processing activities

Evidence auditors look for

  • Records of Processing Activities showing lawful basis assignment for each processing activity
  • Completed Legitimate Interests Assessments for legitimate interests-based processing
  • Consent management logs with timestamps for opt-in and withdrawal
  • Contractual agreements or statements of work documenting necessity of processing
  • Internal policies defining lawful basis criteria for different processing categories
  • Data processing agreements (DPAs) referencing the lawful basis in each clause
  • Training records showing staff awareness of lawful basis requirements
  • Audit logs demonstrating lawful basis review during processing activity updates

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates lawful basis mapping and Legitimate Interests Assessment workflows, letting you assign and audit lawful bases across your data inventory without manual spreadsheets, while tracking changes and generating regulator-ready documentation.

See how GRCWatch handles this control automatically

Start free trial

Related controls

GDPR-A5-01-Lawfulness-Fairness-TransparencyGDPR-A13-DPIA-Data-Protection-Impact-AssessmentGDPR-A4-Records-of-Processing-ActivitiesGDPR-A7-Consent-Management