Document the Lawful Basis for Every Processing Activity
A basis you can't reconstruct won't survive an audit
Under GDPR Art. 6(1), every processing activity needs a lawful basis — and Art. 30(1)(c) requires you to record it. In practice, that basis lives in someone's head, a stale spreadsheet cell, or a free-text note that doesn't hold up when a supervisory authority asks.
The problem compounds across jurisdictions. The same activity may rest on consent in one country, legitimate interests in another, and a different statutory basis where another regulation applies. A single dropdown can't capture that, and manual mapping drifts the moment the processing changes.
When an inspection comes, the question isn't whether you have a basis — it's whether you can show, per activity and per jurisdiction, which one and why.
What you can do with the Legal Basis Register
- Define the six standardized GDPR bases — consent, contract, legal obligation, vital interests, public task, legitimate interests — plus regulation-specific bases.
- Map each basis to applicable laws by jurisdiction, so the right basis attaches to the right region.
- Attach multiple bases to one activity and track which combinations apply across international transfers.
- Document each basis with a description and references to your supporting evidence.
- Filter out non-applicable bases on transfers so selections stay accurate as activities change.
- Import and export basis definitions across companies to keep multi-entity records consistent.
What it delivers to your program
- Answer the regulator per activity — show the lawful basis and its jurisdiction without reconstructing it under deadline.
- Reduce basis errors — non-applicable filtering on transfers keeps selections accurate as processing changes.
- Stay defensible across borders — multiple bases per activity capture cross-jurisdiction reality instead of flattening it.
- Keep entities aligned — import and export carry consistent definitions across companies, so records don't fork.
Built for compliance
DPMS helps you evidence the specific obligations that govern lawful basis — mapped to the article and control, never to "the GDPR."
| What DPMS does | Maps to | How |
|---|---|---|
| Records the lawful basis per processing activity | GDPR Art. 6(1) | Standardized bases selectable and documented per activity |
| Captures legal basis as a record element | GDPR Art. 30(1)(c) | Basis stored against each activity with descriptions and evidence references |
| Documents bases for special-category data | GDPR Art. 9 | A dedicated register branch for special-category conditions, including explicit consent |
Why Priverion
The register isn't a standalone list. It lives inside one unified privacy and InfoSec platform, so the basis you document flows to your processing records (ROPA) without re-keying. Unlike general-purpose GRC tools that offer a single basis field, Priverion lets you attach multiple bases per activity and map them to applicable laws by jurisdiction — the structure regulated, multi-entity organizations actually need. That integration across your records is the part that's hard to copy.
Questions DPOs ask before a demo
Can one activity have more than one legal basis?
Does it handle regulations beyond GDPR?
How does it reduce manual errors on transfers?
Can we share definitions across our entities?
Explore related capabilities
Ready to document a defensible basis for every activity?
