Lawful Basis for Processing
Every processing activity involving personal data must have a lawful basis under GDPR Article 6. There are six options, and choosing the wrong one creates compliance risk. You must determine and document your lawful basis before processing begins — it cannot be changed retroactively.
The Six Lawful Bases
Consent — the individual has given clear, affirmative consent for a specific purpose. Consent must be freely given, specific, informed, and unambiguous. It can be withdrawn at any time, which means you must be prepared to stop processing.
Contractual necessity — processing is necessary to perform a contract with the individual or to take pre-contractual steps at their request. This covers most processing required to deliver a service the individual has purchased.
Legal obligation — processing is necessary to comply with a legal obligation. This covers mandatory tax reporting, regulatory requirements, and court orders.
Vital interests — processing is necessary to protect someone's life. This is rarely applicable outside emergency situations.
Public task — processing is necessary for performing a task in the public interest or in the exercise of official authority. This primarily applies to public authorities.
Legitimate interests — processing is necessary for legitimate interests pursued by the controller or a third party, unless overridden by the individual's interests or rights. This is the most flexible basis but requires a documented balancing test.
Choosing Your Basis
For SaaS companies, the most common bases are: contractual necessity for delivering the core service, legitimate interests for analytics, security, and fraud prevention, and consent for marketing communications. Avoid relying on consent when another basis applies — consent can be withdrawn, disrupting your processing.
Documentation
Maintain a record of your lawful basis for each processing activity. This is typically captured in your Record of Processing Activities (ROPA) and reflected in your privacy notice. Be prepared to demonstrate your lawful basis to supervisory authorities.
In the next lesson, we will cover the Data Protection Officer role.