Lawful-basis-of-processing tracking

lawful-basis-trackingDomain: data-privacyType: process

Description

GDPR Article 6 enumerates six lawful bases for processing personal data (consent, contract, legitimate interest, vital interest, public task, legal obligation) and most non-EU privacy regimes have converged on a similar enumeration. The lawful basis is not a one-time selection at product launch; it attaches per processing activity, which means a product that does account creation, marketing analytics, third-party advertising, and customer support is running four lawful-basis selections, frequently with different answers. Tracking the basis per activity, documenting the assessment that justified the selection (the legitimate-interest balancing test is the canonical example, with a written record of the necessity test, the legitimate-interest test, and the balancing-against-data-subject-rights test), and surfacing the basis to data subjects through the privacy notice is the structural triangle the regulators look for. Where this typically breaks is the conflation of consent with contract: consent is one of the six options and not the easy one, because it has to be freely given, specific, informed, and unambiguous, and revocable at the same friction level as the giving. Most product teams reach for consent reflexively because it is the most familiar of the six bases, then discover that contract or legitimate interest would have been a better structural fit and that the consent UX they shipped is now the path of least resistance for years.

Applicability

Applies when: markets include EU, UK, brazil, or canada.

How predicates are evaluated

Required by (9 regulations)

GDPR
Article 6 — lawfulness of processing; Article 30 — records of processing activities.
Regulation (EU) 2016/679 of the European Parliament and of the Council
Indonesia PDP
Kenya DPA
LGPD
Article 7 — legal bases for processing.
Lei nº 13.709, de 14 de agosto de 2018 (as amended by Lei nº 13.853/2019 and Emenda Constitucional nº 115/2022)
Philippines DPA
PIPL
Personal Information Protection Law of the People's Republic of China (adopted August 20, 2021, effective November 1, 2021)
PDPL
Royal Decree M/19, dated 9/2/1443 AH (September 16, 2021), Personal Data Protection Law, effective September 14, 2023
POPIA
UAE Data Protection Law

Fulfilled by (3)

onetrust · full · medium effort · $$
transcend · partial · medium effort · $$
In-house build · medium effort

ClearLaunch does not accept payment from vendors. Methodology.

Evidence formats

ROPA (Article 30 record)
legitimate-interest assessments (LIAs)
consent receipts

ClearLaunch provides legal information based on publicly available regulatory sources. It does not constitute legal advice and does not create an attorney-client relationship. Consult a licensed attorney in your jurisdiction before making compliance decisions.

Description

Required by (9 regulations)

GDPR

Article 6 — lawfulness of processing; Article 30 — records of processing activities.

Regulation (EU) 2016/679 of the European Parliament and of the Council

Indonesia PDP

Kenya DPA

LGPD

Article 7 — legal bases for processing.

Lei nº 13.709, de 14 de agosto de 2018 (as amended by Lei nº 13.853/2019 and Emenda Constitucional nº 115/2022)

Philippines DPA

PIPL

Personal Information Protection Law of the People's Republic of China (adopted August 20, 2021, effective November 1, 2021)

PDPL

Royal Decree M/19, dated 9/2/1443 AH (September 16, 2021), Personal Data Protection Law, effective September 14, 2023

POPIA

UAE Data Protection Law