Introduction
In 2026, the legal basis remains the cornerstone of GDPR (Article 6). Without it, any personal data processing is illegal, exposing your organization to CNIL fines up to 4% of global turnover—like the €50M penalty Google faced in 2019 for lacking a clear legal basis. For DPOs or compliance officers, choosing the right basis isn't a formality: it's a precise analysis balancing purpose, proportionality, and alternatives. This expert tutorial guides you step by step through the 6 legal bases to LIA tests (Legitimate Interest Assessments), with actionable frameworks and real case studies (Amazon, Meta). By the end, you'll document ironclad legal bases to withstand a CNIL audit, boosting your regulatory resilience in a post-Schrems II and AI Act landscape. (142 words)
Prerequisites
- Advanced GDPR knowledge (Articles 4-6, 9, 22-25)
- Experience mapping processing activities (data processing register)
- Familiarity with EDPB guidelines (WP29/EDPB 1/2020 on consent)
- Tools like Excel or Notion for LIA checklists
Step 1: Map Processing Activities and Purposes
Start with an exhaustive mapping of your processing activities, as the legal basis is inseparable from the purpose (GDPR Art. 5.1.b). Use this mapping framework:
| Processing | Data Collected | Main Purpose | Recipients | Duration |
|---|---|---|---|---|
| ------------ | ---------------- | -------------- | ------------ | ---------- |
| Newsletter | Email, name | Direct marketing | Comms team | 3 years or unsubscribe |
| Recruitment | CV, contact details | Candidate selection | HR | 2 years post-recruitment |
Practical exercise: List 5 processing activities in your organization; define each purpose in one precise sentence.
Step 2: Master the 6 Legal Bases and Their Criteria
The 6 bases (GDPR Art. 6) aren't interchangeable. Here's an expert comparison table:
| Legal Basis | Applicability Criteria | Advantages | Limitations | Real Example |
|---|---|---|---|---|
| ------------- | ------------------------ | ------------ | ------------- | -------------- |
| Consent (6.1.a) | Freely given, specific, informed, unambiguous | Easy to obtain | Withdrawal anytime, not for children without parental consent | Meta fined €405M (2022) for non-granular cookie consent |
| Contract (6.1.b) | Necessary for performance | Stable, no withdrawal | Strictly tied to contract | Netflix: subscription processing for streaming |
| Legal Obligation (6.1.c) | Required by EU/FR law | Ironclad | Rare (e.g., VAT invoicing) | Employers: DSN payroll |
| Vital Interests (6.1.d) | Save lives, emergencies | Exceptional | Emergency hospitalizations | |
| Public Interest Task (6.1.e) | Specific law (e.g., public health) | For public bodies | Public authorities only | ARS: COVID vaccination |
| Legitimate Interests (6.1.f) | Necessary + positive LIA (interests > rights) | Flexible | LIA test mandatory | Amazon: product recommendations (EDPB LIA) |
Step 3: Apply the LIA Test for Legitimate Interests
LIA Canvas Template (inspired by EDPB guidelines 1/2020)—reusable model:
- Legitimate Interest: What benefit? (e.g., 'fraud detection' = 20% loss reduction at BNP).
- Necessity: Less intrusive alternative? (anonymization vs. pseudonymization).
- Balancing: Data subjects' rights > interests? Score 1-10.
- Safeguards: Granular consent, easy opt-out.
LIA Checklist:
- [ ] Prevailing interest documented (quantified stats)
- [ ] DPIA consultation if high risk
- [ ] Opt-out in 2 clicks
Exercise: For marketing tracking, complete an LIA in 30 minutes.
Step 4: Document and Prove Compliance
The burden of proof lies with the controller (Art. 5.2). Create a legal basis register template:
Processing Sheet:
- ID: TRT-001
- Basis: Legitimate interests
- Justification: Attached LIA (balancing score 8/10)
- Legal Ref: Art. 6.1.f + EDPB 6/2020
- Evidence: Opt-out rate <5%, annual audits
Real example: OVHcloud post-Schrems II documents 'contract + standard contractual clauses' for US transfers. Integrate into the data processing register (Art. 30). Analogy: like a lawyer prepping a case file—anticipate CNIL questions ('Why not consent?'). Automate with Airtable for scalability.
Step 5: Manage Changes and Annual Reviews
Legal bases evolve (e.g., expanded purpose = new basis). Implement a governance cycle:
- Quarterly: Review mapping
- Annual: LIA audit (CNIL benchmarks)
- Event-driven: Post-DPIA or complaint
Essential Best Practices
- Always prioritize: Contract > legal obligation > legitimate interests > consent (CNIL reco 2024).
- Hybrid multi-basis: E.g., e-commerce = contract (payment) + legitimate interests (recommendations).
- Proactive transparency: State basis in Art. 13/14 info (e.g., 'Legitimate interests ref. LIA-2026-01').
- Collaborative audits: Involve legal + business teams for robustness.
- Tools: OneTrust or Captain Compliance for automated LIA templates.
Common Mistakes to Avoid
- Consent abuse: 92% of FR sites non-compliant (CNIL 2023)—use only if withdrawal doesn't disrupt.
- Phantom LIA: No docs = presumed illegal (Meta €1.2B fine 2023).
- Single basis trap: Miss sub-processing (e.g., third-party analytics = separate legitimate interests).
- Transfer oversight: EU basis doesn't cover US (Schrems II).
Further Reading
Dive into EDPB Guidelines 05/2020 on consent and CNIL – Legal Bases. Join our expert Advanced GDPR for DPOs training with hands-on LIA workshops. Stats: Organizations with documented LIAs cut fine risks by 3x (Deloitte 2025).