How to demonstrate lawful processing under GDPR Article 6?

GDPR Article 6 requires a lawful basis for every processing activity involving personal data. For email marketing, the most common bases are consent (Article 6(1)(a)) and legitimate interest (Article 6(1)(f)). To demonstrate lawful processing, you must first identify which basis applies to each processing activity, then maintain evidence that the requirements for that basis are satisfied. This isn't a one-time determination. You uneed ongoing documentation that can be produced if regulators, auditors, or data subjects ask how you justify your processing.

For consent-based processing, maintain the consent records described earlier: timestamps, sources, consent language, and confirmation evidence for double opt-in. The consent must be freely given (not bundled with other agreements), specific (about what you'll send), informed (the person understood what they were agreeing to), and unambiguous (a clear affirmative act). Document how your consent collection meets each of these requirements. If relying on consent, ensure you can easily withdraw consent for any subscriber, and track consent withdrawals with the same rigor as original consent.

For legitimate interest, documentation requires a Legitimate Interest Assessment (LIA). This three-part analysis identifies your legitimate interest (e.g., marketing your products to existing customers), demonstrates that processing is necessary to achieve that interest (you can't reasonably achieve the same result without processing), and balances your interest against the data subject's rights and expectations (considering factors like the relationship, data sensitivity, and likely impact). Keep LIAs on file and reference them when explaining your lawful basis. Demonstrating lawful processing means always being able to answer "why are you allowed to do this?"-with documented evidence, not just confident assertions.