When can you switch lawful bases?

Switching lawful bases after processing has begun is generally problematic and should be avoided. GDPR requires identifying your lawful basis before processing starts, and switching suggests either that your original basis was invalid or that you're looking for justifications after the fact. Regulators view basis-switching skeptically, particularly if it appears designed to avoid the implications of the original basis (like switching from consent to avoid honoring consent withdrawals).

There are limited legitimate scenarios for reconsidering bases. If circumstances genuinely change-a new legal requirement emerges, your business relationship with data subjects fundamentally shifts, or new guidance clarifies appropriate bases. You umight need to re-evaluate. If you discover your original basis was selected in error and another basis was actually more appropriate from the start, correction may be warranted. But these should be exceptional situations with documented justifications, not routine basis shopping.

If you must change bases, handle it transparently and carefully. Update your privacy notice to reflect the new basis. Consider whether you need to inform affected data subjects. Ensure you can meet all requirements of the new basis (if switching to legitimate interests, conduct an LIA). Document why the change was necessary and appropriate. Never switch to avoid giving effect to subscriber rights. If usomeone withdraws consent, switching to legitimate interests to keep emailing them would likely be seen as abuse of the framework. Your lawful basis should be stable and deliberate-switching suggests something went wrong, so do it only when genuinely necessary and fully document why.