How to document the chosen lawful basis?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Choosing your lawful basis isn't enough. You need to write it down before you start processing, and that documentation needs to hold up if a regulator ever asks to see it.

For each type of processing you do (sending marketing emails, tracking engagement, storing profile data, passing data to your CRM), you should record: the processing activity, the lawful basis you're relying on, why you chose that basis, and the date you made that decision.

If you're using consent, you need consent records too: timestamp, source, the exact wording the person agreed to, and the version of your privacy notice in effect at the time. Most ESPs can export this data, but check that yours does before you need it.

If you're using legitimate interest, you need a Legitimate Interest Assessment (LIA). This is a documented three-step test: purpose (what's your legitimate interest), necessity (is processing necessary for that purpose), and balancing (do your interests outweigh the individual's rights). The LIA should be a real document, not a one-liner.

This documentation typically lives in your Records of Processing Activities (ROPA), which GDPR Article 30 requires for organizations above 250 employees and in many other situations. Even if you're below that threshold, maintaining a ROPA is good practice and shows due diligence.

A simple starting point: document your three main email types (marketing, transactional, automated), the lawful basis for each, and where the consent or LIA records are stored. That covers most of what a regulator will ask for first.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Build your GDPR lawful basis documentation for each email type.

I use lawful basis: consent / legitimate interest for my marketing emails. Can you help me create a documentation template that covers what a regulator would expect to see, including what consent records to keep and whether I need a formal Legitimate Interest Assessment?

Edit the yellow boxes, then send to the AI of your choice.