GDPR Art. 6 prohibits all personal data processing without a lawful basis — there are only six valid bases (consent, contract, legitimate interest, legal obligation, vital interests, public task), and mixing them up is not a technicality. If you send marketing emails claiming "contract" as the basis because you have the email from signup, that is a direct GDPR violation. LGPD Art. 7 imposes the same requirement for Brazilian users. Without documented lawful bases, the business cannot respond coherently to a data subject access request, a supervisory authority inquiry, or a lawsuit. ISO-27001:2022 A.5.34 requires organizations to identify and apply the correct legal basis as part of privacy governance.
High because processing personal data without a documented lawful basis is a per-activity violation under GDPR Art. 6 — regulators can prohibit the processing entirely until it is remediated.
Map lawful bases in a data register. This does not require code changes — a documented record satisfies the regulatory obligation.
Data Register (data-register.md or spreadsheet):
| Data Type | Collection Point | Lawful Basis | Notes |
|---------------|-------------------|------------------|-------------------------------------|
| Email | Signup form | Contract | Required to deliver service |
| Email | Newsletter opt-in | Consent | Separate checkbox; opt-out in every email |
| Usage events | In-app analytics | Legitimate int. | Balancing test: pseudonymous, low impact |
| Payment info | Checkout | Contract | Required for payment processing |
| IP address | Server logs | Legal obligation | 90-day retention; security use only |
For legitimate interest claims, include a brief balancing test: what is the business purpose, what is the privacy impact, and why the interest is not overridden by user rights. Add this register to your GDPR Art. 30 Records of Processing Activities (ROPA) filing.
ID: data-protection.data-collection-consent.lawful-basis-documented
Severity: high
What to look for: Enumerate every relevant item. Look for documentation — in code comments, privacy policy, a data register spreadsheet, or a RECORDS.md — that specifies the lawful basis for each data collection point. The six GDPR lawful bases are: (1) consent, (2) contract (data needed to deliver the service), (3) legitimate interest, (4) legal obligation, (5) vital interests, (6) public task. Check: is email collected because it's needed for the service (contract) or for marketing newsletters (consent)? Is usage analytics collected under legitimate interest with a balancing test documented? Is the distinction between these bases clearly articulated anywhere?
Pass criteria: At least 1 of the following conditions is met. For each significant data collection point, the lawful basis is documented. This does not need to be in code — it can be in the privacy policy (which must already cover this per the previous check), a data register, or a comments block in onboarding code. The distinction between data collected under contract vs. consent vs. legitimate interest is clear and accurate.
Fail criteria: No documentation of lawful basis exists anywhere. Data collected under "consent" but no actual consent mechanism. Legitimate interest claimed without a balancing test.
Skip (N/A) when: Application operates in a jurisdiction with no privacy regulations and collects no personal data (extremely rare — most apps should document this regardless of jurisdiction).
Detail on fail: Example: "No documented lawful basis for any data collection. Privacy policy states 'we collect data to improve your experience' without specifying the legal basis." or "Marketing emails sent to all registered users with no consent mechanism — no opt-in at signup.".
Remediation: Map lawful bases in your privacy policy and optionally in a data register:
Data Register (data-register.md or spreadsheet):
| Data Type | Collection Point | Lawful Basis | Notes |
|---------------|-------------------|------------------|------------------------------------|
| Email | Signup form | Contract | Required to deliver service |
| Email | Newsletter opt-in | Consent | Separate checkbox at signup |
| Usage events | In-app analytics | Legitimate int. | Balancing test: low privacy impact |
| Payment info | Checkout | Contract | Required for payment processing |
| IP address | Server logs | Legal obligation | 90-day retention, security use |
For legitimate interest, a brief balancing test is sufficient: "We collect usage analytics to improve the product. Impact on user privacy is low (pseudonymous IDs, no sensitive data). Users can opt out via settings."