1. IntroductionWhen the General Data Protection Regulation (GDPR) came into force, it transformed how organizations handle personal data across the EU — and globally. One of the most fundamental requirements under the GDPR is having an established legal basis for every data processing activity.Without a clear and documented legal basis, even well-intentioned data collection can breach GDPR rules, leading to heavy fines and loss of consumer trust.In this article, we’ll explain what an established legal basis in GDPR means, explore the six lawful bases for processing, and provide practical guidance on how to determine and document your lawful basis for compliance. 2. What Does “Established Legal Basis” Mean in GDPR?Under Article 6 of the GDPR, organizations must have a lawful basis to process personal data. In simple terms, this means you need a legitimate reason, supported by law, for collecting, using, or storing someone’s personal information.The phrase “established legal basis” means that your organization has: Identified the correct lawful basis for each data processing purpose, and Properly documented and communicated that basis as part of your GDPR compliance program. You cannot process personal data on assumptions or convenience. Every activity — from sending marketing emails to tracking website analytics — must be justified under one of the six legal bases defined by GDPR. 3. The Six Legal Bases Under GDPRThe GDPR recognizes six lawful bases for processing personal data. Let’s break them down with simple explanations and real-world examples.3.1 ConsentProcessing is lawful when the data subject has given clear and informed consent for a specific purpose. Example: A user subscribes to a newsletter and ticks a box agreeing to receive marketing updates. Key point: Consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes or bundled consent are not valid. Tip: Keep a record of when and how consent was obtained — this helps you prove compliance later. 3.2 ContractProcessing is lawful when it’s necessary for the performance of a contract or to take steps at the request of the data subject before entering into a contract. Example: An e-commerce platform uses a customer’s address to deliver their order. Key point: The processing must be directly related to fulfilling the contract’s purpose. 3.3 Legal ObligationThis basis applies when processing is necessary to comply with a legal obligation imposed on the controller. Example: Employers processing employee payroll data to meet tax reporting requirements. Key point: The obligation must come from EU or member state law. 3.4 Vital InterestsProcessing is lawful if it’s necessary to protect someone’s life or physical safety. Example: A hospital accesses a patient’s medical history in an emergency situation. Key point: This basis is usually relevant only for life-or-death scenarios. 3.5 Public TaskUsed mainly by public authorities, this basis covers processing that is necessary for the performance of a task carried out in the public interest or under official authority. Example: A government agency collecting census data. Key point: The activity must have a clear legal foundation or serve a defined public interest. 3.6 Legitimate InterestsPerhaps the most flexible — but also the most misused — legal basis. Processing is lawful when it’s necessary for the legitimate interests of the controller or a third party, provided these interests do not override the individual’s rights and freedoms. Example: A business using security cameras to prevent theft. Key point: A Legitimate Interests Assessment (LIA) should be carried out to balance organizational needs against privacy rights. 4. How to Determine and Document Your Legal BasisDetermining the correct legal basis isn’t just a formality — it’s central to GDPR compliance and the accountability principle (Article 5(2)).Here’s a step-by-step approach: Identify all your data processing activities. Map out every point where your organization collects, stores, or uses personal data. Define the purpose for each activity. Ask: Why are we collecting this data? The purpose must be specific and legitimate. Match each purpose to the most appropriate lawful basis. Use the six bases as a checklist and choose the one that fits naturally. Record your reasoning. Document your decision and justification in your Record of Processing Activities (ROPA) — required under Article 30. Update your privacy notice. Communicate the lawful basis to individuals in clear, accessible language. Review regularly. As business models evolve, revisit your lawful bases to ensure they remain accurate. Remember: You must establish and document the lawful basis before processing begins — not after. 5. Common Mistakes When Establishing a Legal BasisEven organizations with good intentions can stumble. Here are the most frequent compliance pitfalls: Using consent unnecessarily: Some rely on consent when a contract or legitimate interest would be more appropriate. This makes compliance harder to manage. Changing the lawful basis later: You can’t switch bases once data is collected, unless there’s a new lawful reason entirely. Not informing data subjects: GDPR Articles 13 and 14 require clear notice of the lawful basis at the time of data collection. Inconsistent documentation: Failing to record decisions or link them to specific processing activities can lead to compliance gaps. Avoid these errors by conducting regular GDPR audits and maintaining detailed records of all legal bases. 6. How to Communicate the Legal Basis to Data SubjectsTransparency is one of the core principles of GDPR. You must clearly inform individuals about your legal basis for processing in your privacy notice or data collection forms.What to Include: The specific lawful basis relied upon (e.g., consent, contract) The purpose of processing Any third parties who will access the data The individual’s rights (e.g., right to withdraw consent, object to processing) Example privacy notice excerpt:“We process your personal data to deliver the products you purchase from us (performance of a contract) and to send updates about your order (legitimate interests).”Tip: Use plain language — legal jargon can undermine transparency and trust. 7. When and How to Reassess Your Legal BasisGDPR compliance is not a one-time task. You should review and reassess your established legal bases when: You introduce a new product or service. The purpose of processing changes. You start using new technologies (e.g., AI-based analytics). You partner with new processors or vendors. Best practice: Conduct an annual or bi-annual GDPR audit to confirm that each processing activity still aligns with its stated lawful basis. Update your ROPA and privacy notices as necessary. 8. Consequences of Not Having an Established Legal BasisFailing to establish or prove a lawful basis can result in serious regulatory penalties. Under GDPR Article 83, violations of basic processing principles (including lawful basis) can attract fines of up to €20 million or 4% of annual global turnover, whichever is higher.Case Example: Meta (Facebook) – Legitimate Interest ViolationIn 2023, Meta was fined hundreds of millions of euros by European data regulators for relying on “contract” and “legitimate interest” bases inappropriately for targeted advertising. The regulators ruled that users had not provided valid consent, demonstrating how critical it is to correctly establish and justify your legal basis.Aside from financial penalties, non-compliance can lead to: Reputational damage Loss of customer trust Legal disputes and data subject complaints 9. Best Practices and Compliance ChecklistHere’s a quick GDPR legal basis compliance checklist to help you stay on track:✅ Identify and map all data processing activities. ✅ Determine the purpose for each activity. ✅ Select the most appropriate lawful basis under Article 6. ✅ Document your decision in the Record of Processing Activities (ROPA). ✅ Clearly state the lawful basis in your privacy notice. ✅ Maintain evidence (e.g., consent forms, legitimate interest assessments). ✅ Review regularly and update when processing purposes change.Helpful Tools: ICO Lawful Basis Interactive Guidance (UK) European Data Protection Board (EDPB) guidelines on lawful basis GDPR compliance software for record-keeping and audit trails Pro tip: Embed GDPR compliance into your data governance strategy rather than treating it as a standalone task. 10. ConclusionAn established legal basis in GDPR isn’t just a checkbox — it’s the foundation of lawful, transparent, and ethical data processing.By identifying, documenting, and communicating the correct lawful basis for every activity, your organization demonstrates accountability and builds trust with customers and regulators alike. Take the time to review your current data practices, ensure every processing activity is justified, and maintain proper documentation. Doing so not only keeps you compliant — it strengthens your reputation as a responsible data custodian.Read More Blog: https://www.gdprconsultants.in/
