How to document the chosen lawful basis?

Documenting your lawful basis requires clear records created before processing begins. For each processing activity (sending marketing emails, tracking engagement, enriching profiles), document which lawful basis applies, why you selected that basis, and how you meet its requirements. This documentation should be part of your Record of Processing Activities (ROPA) required under GDPR Article 30 and should be readily available if regulators or data subjects ask how you justify your processing.

For consent-based processing, documentation includes: consent records with timestamps, sources, and IP addresses; the specific consent language presented; version histories showing what subscribers saw when they opted in; records of any consent withdrawals; and your processes for ensuring consent is freely given, specific, informed, and unambiguous. This evidence proves subscribers actively agreed to receive communications.

For legitimate interests, documentation requires a Legitimate Interest Assessment (LIA). This three-part analysis: (1) identifies your legitimate interest (what purpose you're pursuing); (2) demonstrates necessity (processing is genuinely needed to achieve that interest, with no less intrusive alternative); (3) performs a balancing test (your interests don't override the individual's rights, considering expectations, data sensitivity, relationship, and safeguards). Keep completed LIAs on file and reference them when explaining your processing basis. Documentation isn't about paperwork-it's about being able to demonstrate, at any time, that you had valid grounds for processing from the start.