Legal basis under GDPR – the documentation requirement

View as Markdown
1 min read • Simon • GDPR • 10 September 2025
  1. How to document the legal basis under GDPR – practical requirements

For the processing of personal data to be lawful, it must rest on one of six legal bases. It is not enough to know which legal basis under GDPR applies; it must also be documented in a manner that stands up to regulatory scrutiny. Many organisations find it challenging to keep their chosen bases up to date as new services, systems or collaborations are introduced. Building a routine for checking, on an ongoing basis, that documentation reflects reality is therefore prudent. Minor changes to a process can otherwise render the original basis outdated, creating issues during an audit. Regular reviews make it easier to detect and remedy such discrepancies in good time.

Another key aspect is ensuring that everyone involved in the organisation understands the applicable lawful basis for processing personal data within their part of the processing. This strengthens practical compliance and the quality of communications with data subjects. Thoughtful documentation acts as a clear map of how personal data are handled and is an important tool when questions arise from customers, partners or public authorities.

How to document the legal basis under GDPR – practical requirements

Under Article 5(2) GDPR, controllers must be able to demonstrate that processing complies with the principles. This means the choice of lawful basis for processing personal data must not only be correct; it must also be recorded in writing. During an audit by the Data Protection Agency, you should expect to provide documentation showing:

  • Which legal basis has been selected for each purpose of processing.
  • How the assessment was carried out.
  • Why other potential bases were rejected, which in borderline cases can support the chosen legal basis.

Where legitimate interests are relied upon, the legitimate interest balancing test must be written down and kept up to date. This basis must not be used by default; documentation must show that the organisation’s legitimate interest outweighs the data subject’s interests.

It is also important that neither the purpose nor the legal basis is changed retrospectively. Processing must rest on a clearly defined basis from the outset. At audit or review, it is not sufficient to “state” a basis after the fact; it should be set out in the privacy policy and in the internal record of processing activities (the article 30 record of processing activities). Clear documentation also reduces the risk of errors when informing data subjects and facilitates internal compliance monitoring.

At Morling Consulting, our GDPR lawyers help companies structure and document their processing of personal data—so that selecting the legal basis under GDPR is done correctly and is properly evidenced. We assist with calibrating the lawful basis for processing personal data across processes, recording decisions in the Article 30 record of processing activities, and maintaining the legitimate interest balancing test where relevant.

Our support ensures that documentation mirrors operational reality, withstands supervisory review, and enhances day-to-day compliance.

AML compliance officer reviewing customer due diligence, risk assessment and monitoring alerts, with compliance checklist and legal shield icon.

22 January 2026

Role and responsibilities of the AML specialist – a compliance perspective
Read more
Illustration of a legal professional at a desk with a digital interface showing structured regulatory compliance, internal controls, and AML processes for financial institutions.

21 January 2026

Exemptions for financial activities, prior notification and internal controls under the AMLR
Read more
Lawyer consulting a client at a desk, discussing legal advice and compliance documents, with contract approval icons on screen.

20 January 2026

When to ask a lawyer for faster answers at lower cost
Read more