Without a documented lawful basis for each processing activity, every data collection your application performs is potentially unlawful under GDPR Art. 6. Regulators do not need to prove harm — the absence of a documented basis is itself the violation. Marketing emails sent to users who signed up only for account delivery violate Art. 6 directly: the 'contract' basis covers service delivery, not promotional campaigns, and each is a separate legal act. The distinction between consent, contract, and legitimate interest is not cosmetic — 'legitimate interest' requires a balancing test, and skipping it leaves you exposed to a GDPR Art. 5(1)(a) breach finding that can carry fines up to 4% of global turnover.
Critical because undocumented lawful basis renders every processing activity potentially unlawful under GDPR Art. 6, and regulators can levy maximum-tier fines without requiring proof of actual harm to individuals.
Document the legal basis for each processing activity in your privacy policy and optionally in a DATA_REGISTER.md at the repo root. Write it explicitly per purpose — do not combine unrelated activities under one basis.
| Data Type | Collection Point | Lawful Basis | Notes |
|--------------|-------------------|------------------------|--------------------------------|
| Email | Signup form | Contract (Art. 6(1)(b))| Required to deliver the service|
| Email | Newsletter opt-in | Consent (Art. 6(1)(a)) | Separate checkbox; withdrawable|
| Usage events | In-app analytics | Legitimate interest | Balancing test documented below|
| Payment info | Checkout | Contract (Art. 6(1)(b))| Required for payment processing|
For legitimate interest, document the balancing test: "Pseudonymous analytics to improve the product. Low-impact (no PII, opt-out available). Our interest does not override user privacy interests." Add this to DATA_REGISTER.md and cross-reference it from your privacy policy.
ID: gdpr-readiness.lawful-basis.lawful-basis-documented
Severity: critical
What to look for: Look for documentation that specifies the lawful basis for each data collection point under GDPR Article 6 (consent, contract, legal obligation, vital interests, public task, or legitimate interest). This documentation can live in the privacy policy (which must articulate it per GDPR Art. 13/14), a data register spreadsheet, a DATA_REGISTER.md, or as inline comments in the data collection code. Pay attention to distinctions: email for account delivery is "contract"; email for marketing newsletters is "consent" and requires a separate opt-in. Check analytics and tracking — legitimate interest requires a balancing test. Check whether marketing emails are sent without a consent mechanism (a common AI-built-app failure). Any processing where "legitimate interest" is claimed should have at least a brief balancing test documented. Count every data processing activity and enumerate the lawful basis claimed for each. Report: X of Y processing activities have a documented lawful basis.
Pass criteria: For each significant data collection point (account signup, analytics, marketing, payments, contact forms), the lawful basis is documented. The distinction between consent-based and contract-based collection is clear and accurate. Legitimate interest claims include at least a brief balancing test. The privacy policy explicitly states the legal basis for each processing activity. At least 1 implementation must be confirmed.
Fail criteria: No documentation of lawful basis exists anywhere in the project. Data collected under "legitimate interest" with no balancing test. Marketing emails sent to all registered users with no consent mechanism. Privacy policy uses vague language ("to provide our services") without identifying the legal basis.
Skip (N/A) when: Application processes no personal data and has no user accounts, forms, or analytics of any kind.
Cross-reference: The consent-records check in Consent Management verifies that consents collected here are stored with the evidence required for accountability.
Detail on fail: Specify what is missing. Example: "No documented lawful basis for any data collection. Privacy policy states 'we collect data to provide services' without identifying Art. 6 legal basis for each processing activity." or "Marketing emails sent to all registered users on signup with no opt-in checkbox. No consent legal basis exists." or "Analytics processing claimed under legitimate interest with no balancing test documented.".
Remediation: Map lawful bases explicitly in your privacy policy and optionally in a data register:
Data Register — document and maintain per data collection point:
| Data Type | Collection Point | Lawful Basis | Notes |
|-----------------|-----------------------|------------------------|------------------------------------------|
| Email | Signup form | Contract (Art. 6(1)(b))| Required to deliver the service |
| Email | Newsletter opt-in | Consent (Art. 6(1)(a)) | Separate checkbox; withdrawable |
| Usage events | In-app analytics | Legitimate interest | Balancing test: low-impact, pseudonymous |
| Payment info | Checkout | Contract (Art. 6(1)(b))| Required for payment processing |
| IP address | Server logs | Legitimate interest | 90-day retention, fraud/security purpose |
In your privacy policy, write it plainly: "We process your email address to deliver the service you signed up for (legal basis: contract). We send marketing updates only to users who opt in (legal basis: consent). You can withdraw consent at any time by clicking Unsubscribe."
For legitimate interest, document the balancing test inline or in your data register: "We collect pseudonymous usage analytics to improve the product. Impact on privacy is minimal (no PII, user-controlled opt-out). We have assessed this and determined our interest does not override user privacy interests."