DAT-019 Lawful Basis for Processing
Description
Each processing activity has a documented lawful basis under GDPR Article 6 (or Article 9 for special categories). The lawful basis is recorded in the data inventory and disclosed in the privacy notice. Processing is not initiated or continued where no valid legal basis exists.
Rationale
Processing without a lawful basis is unlawful under GDPR regardless of technical security measures. This is the threshold question for all personal data processing.
Framework Mappings (4)
| DSP-12 | Limitation of Purpose in Personal Data Processing | partial |
| GDPR-Art.24 | Controller Responsibility and Demonstrable Compliance | partial |
| GDPR-Art.5.1a | Lawfulness, Fairness and Transparency of Processing | full |
| PT-2 | Authority to Process Personally Identifiable Information | full |
Evidence (2)
Lawful basis register documenting the legal basis assigned to each processing activity, maintained within the RoPA or as a standalone register.
Example: Lawful Basis Register (OneTrust / Confluence / spreadsheet) — showing each processing activity mapped to a GDPR Art.6 legal basis (and Art.9 for special categories), with: basis selected, justification narrative, date assigned, and DPO review date
Test: Request the lawful basis register or the relevant RoPA fields. Verify: (1) every processing activity has a legal basis assigned, (2) consent is only recorded as the basis where a compliant consent mechanism exists, (3) legitimate interests entries are accompanied by a documented LIA (Legitimate Interests Assessment), (4) no activity is recorded with an invalid or absent basis, (5) register was reviewed within 12 months.
Privacy policy or internal processing standard confirming that processing without a valid legal basis is prohibited and specifying the process for documenting and reviewing legal bases.
Example: Data Processing Legal Basis Procedure (Confluence), approved by DPO — defining: how legal bases are selected for new processing, how changes to purposes trigger re-assessment, and who is authorised to approve a legal basis assignment
Test: Request the legal basis procedure. Verify: (1) explicitly states that processing without a documented legal basis is prohibited, (2) defines a process for evaluating and recording the legal basis for new processing activities, (3) specifies re-assessment is triggered when purposes change, (4) requires DPO review of legal basis assignments.
Questions (2)
Does every personal data processing activity in your organisation have a documented lawful basis under GDPR Article 6 (or Article 9 for special categories) recorded in the data inventory or RoPA?
The legal basis must be specific to each processing purpose and disclosed in the privacy notice. Processing without a valid, documented legal basis is unlawful regardless of the technical security measures in place.
Which GDPR Article 6 legal bases does your organisation rely upon for processing personal data?
Legitimate interests requires a documented Legitimate Interests Assessment (LIA). Consent must be backed by a compliant consent management mechanism. This question helps identify whether the appropriate legal bases are in use for the type of processing described.