REQ-GDPR-001: Lawful Basis for Processing

Overview

Purpose: Legal basis identification and documentation
GDPR Article: Article 6 - Lawfulness of Processing
Category: data-processing, legal-basis
Priority: High
Framework: GDPR

Description

Establishes procedures to identify, document, and maintain appropriate lawful basis for all personal data processing activities in accordance with GDPR Article 6.

Acceptance Criteria

Feature: Lawful Basis for Data Processing
  As a data controller
  I want to establish lawful basis for processing
  So that I can comply with GDPR Article 6 requirements

  Background:
    Given the organization processes personal data
    And GDPR compliance is required
    And data processing activities are identified

  Scenario: Lawful Basis Identification
    Given personal data processing is planned
    When the processing purpose is defined
    And the data subject category is identified
    And processing context is analyzed
    Then appropriate lawful basis shall be identified
    And legal basis shall be documented
    And processing shall be limited to stated purpose

  Scenario: Consent as Lawful Basis
    Given consent is chosen as lawful basis
    When consent is requested from data subjects
    And consent mechanism is implemented
    And consent records are maintained
    Then consent shall be freely given
    And consent shall be specific and informed
    And consent withdrawal shall be possible

  Scenario: Legitimate Interest Assessment
    Given legitimate interest is considered
    When legitimate interest is identified
    And necessity test is performed
    And balancing test is conducted
    Then legitimate interest shall be documented
    And data subject rights shall be protected
    And opt-out mechanism shall be provided

  Scenario: Legal Obligation Processing
    Given legal obligation requires processing
    When legal requirement is identified
    And processing scope is defined
    And retention period is determined
    Then legal basis shall be documented
    And processing shall be limited to legal requirement
    And data subject shall be informed

  Scenario: Vital Interest Processing
    Given vital interest processing is required
    When life-threatening situation exists
    And other lawful basis is not available
    And processing is necessary for vital interest
    Then vital interest shall be documented
    And processing shall be limited to necessity
    And data subject shall be informed when possible

Technical Context

Implementation Requirements

Lawful Basis Register: Comprehensive record of all processing activities and their lawful basis
Consent Management System: Technical and organizational measures for obtaining and managing consent
Legitimate Interest Assessment (LIA): Documented assessment for legitimate interest processing
Data Subject Information: Clear and transparent information about processing and lawful basis
Processing Records: Detailed records of processing activities under Article 30
Legal Compliance Monitoring: Ongoing monitoring of lawful basis validity

System Architecture

interface LawfulBasisManagement {
  lawfulBasisRegister: LawfulBasisRegister;
  consentManagement: ConsentManagementSystem;
  legitimateInterestAssessment: LegitimateInterestAssessment;
  dataSubjectInformation: DataSubjectInformation;
  processingRecords: ProcessingRecord[];
  complianceMonitoring: ComplianceMonitoring;
}

interface LawfulBasisRegister {
  processingActivities: ProcessingActivity[];
  lawfulBasisMapping: LawfulBasisMapping[];
  reviewSchedule: ReviewSchedule;
  updateProcedures: UpdateProcedure[];
}

interface ProcessingActivity {
  activityId: string;
  purpose: string;
  dataCategories: DataCategory[];
  dataSubjects: DataSubjectCategory[];
  lawfulBasis: LawfulBasis;
  retentionPeriod: RetentionPeriod;
  thirdPartySharing: ThirdPartySharing[];
}

enum LawfulBasis {
  CONSENT = 'consent',
  CONTRACT = 'contract',
  LEGAL_OBLIGATION = 'legal_obligation',
  VITAL_INTERESTS = 'vital_interests',
  PUBLIC_TASK = 'public_task',
  LEGITIMATE_INTERESTS = 'legitimate_interests',
}

Validation Strategy

Legal Basis Assessment: Systematic evaluation of appropriate lawful basis for each processing activity
Documentation Review: Verification of comprehensive lawful basis documentation
Consent Validation: Testing of consent mechanisms and record-keeping
Legitimate Interest Testing: Validation of legitimate interest assessments and balancing tests
Ongoing Monitoring: Regular review of lawful basis validity and processing changes

Testing Strategy

Compliance Testing

Lawful Basis Documentation

Verify all processing activities have identified lawful basis
Validate lawful basis register completeness and accuracy
Test lawful basis change management procedures
Verify data subject information accuracy

Test consent collection mechanisms
Validate consent record storage and retrieval
Test consent withdrawal functionality
Verify consent renewal procedures

Legitimate Interest Testing

Validate legitimate interest assessments
Test balancing test documentation
Verify opt-out mechanism functionality
Test legitimate interest communication to data subjects

Implementation Notes

Prerequisites

Data processing inventory and mapping
Legal analysis of applicable lawful basis options
Data protection impact assessment (DPIA) if required
Privacy policy and data subject information updates

Dependencies

Data Minimization (REQ-GDPR-002)
Purpose Limitation (REQ-GDPR-003)
Consent Management (REQ-GDPR-015)
Data Subject Rights (REQ-GDPR-006 to REQ-GDPR-010)

Constraints

Must comply with GDPR Article 6 requirements
Must align with data protection principles in Article 5
Must support data subject rights under Chapter III
Must enable lawful basis changes and updates

Compliance Evidence

Required Documentation

Lawful Basis Register with all processing activities
Consent records and management procedures
Legitimate Interest Assessments (LIA) where applicable
Data subject information and privacy notices
Processing records under Article 30 GDPR
Legal compliance monitoring reports

Audit Trail

Lawful basis identification and approval records
Consent collection and withdrawal records
Legitimate interest assessment and review records
Data subject information update history
Processing activity change records

REQ-GDPR-002: Data Minimization
REQ-GDPR-003: Purpose Limitation
REQ-GDPR-015: Consent Collection
REQ-GDPR-016: Consent Withdrawal

Note: Individual requirement template files are generated when using sc init --framework=gdpr

Usage Examples

CLI Commands

# Generate this requirement
sc req new --template=REQ-GDPR-001 --title="Lawful Basis for Processing"

# Validate lawful basis implementation
sc req validate REQ-GDPR-001 --framework=gdpr

# Generate privacy impact assessment
sc privacy pia --requirement=REQ-GDPR-001 --processing-activity=user-registration

Integration Example

// Lawful basis validation
const gdprValidator = new GDPRValidator();
const processingActivities = await loadProcessingActivities();

const lawfulBasisResult = await gdprValidator.validateLawfulBasis(
  processingActivities,
  {
    requirement: 'REQ-GDPR-001',
    includeConsent: true,
    validateLIA: true,
    checkDataSubjectInfo: true,
  }
);

if (lawfulBasisResult.isCompliant) {
  console.log('Lawful basis compliance verified');
} else {
  console.log('Lawful basis issues found:', lawfulBasisResult.issues);

  // Generate remediation plan
  const remediationPlan = await generateRemediationPlan(lawfulBasisResult.gaps);
  console.log('Remediation required:', remediationPlan);
}

Overview​

Description​

Acceptance Criteria​

Technical Context​

Implementation Requirements​

System Architecture​

Validation Strategy​

Testing Strategy​

Compliance Testing​

Lawful Basis Documentation​

Consent Management Testing​

Legitimate Interest Testing​

Implementation Notes​

Prerequisites​

Dependencies​

Constraints​

Compliance Evidence​

Required Documentation​

Audit Trail​

Related Requirements​

Usage Examples​

CLI Commands​

Integration Example​