Certified Information Privacy Professional (CIPP): EU - Lawful Bases for Processing, Consent, Legitimate Interest, Contract, Legal Obligation, etc.

CIPP/E – Lawful Bases for Processing
(Study Guide – Exam?Ready, Practical, Plain?Language)

What This Is

Lawful bases are the “legal justifications” that allow a data controller (or processor) to handle personal data under the GDPR. Without a valid basis, any collection, use, or transfer is illegal and can trigger fines of up to?€20?million or?4?% of global turnover.
Real?world example: A multinational retailer wants to move its European employee payroll data to a cloud provider in the United?States. The retailer must first decide whether the transfer is covered by a legitimate?interest assessment, a contract?based necessity, or a consent?based approach before the data can legally leave the EU.

Key Terms & Provisions

• Consent (Art.?6(1)(a) & Art.?7 GDPR): Freely given, specific, informed, and unambiguous indication of wishes. Must be recorded and can be withdrawn at any time. Example: A news website asks visitors to tick a box before dropping non?essential cookies.
• Legitimate Interest (Art.?6(1)(f) GDPR): Processing is allowed if the controller’s legitimate interest is not overridden by the data subject’s rights. Requires a Legitimate?Interest Assessment (LIA). Example: A logistics firm uses location data to optimise delivery routes.
• Contractual Necessity (Art.?6(1)(b) GDPR): Processing required to fulfil a contract to which the data subject is a party. Example: An HR system processes employee data to administer salaries under the employment contract.
• Legal Obligation (Art.?6(1)(c) GDPR): Processing required to comply with EU or Member?State law. Example: A financial institution must retain transaction records for 5?years under anti?money?laundering rules.
• Vital Interests (Art.?6(1)(d) GDPR): Processing necessary to protect the life of the data subject or another person. Example: An emergency?room doctor shares a patient’s health data with a specialist to save the patient’s life.
• Public Task (Art.?6(1)(e) GDPR): Processing carried out in the exercise of official authority or a task in the public interest. Example: A municipal authority processes resident data to issue building permits.
• Data Protection Impact Assessment (DPIA) (Art.?35 GDPR): Mandatory when processing is likely to result in a high risk to individuals (e.g., large?scale profiling). Example: A telecom operator deploying AI?driven churn prediction must conduct a DPIA.
• Standard Contractual Clauses (SCCs) (Commission Decision 2021/914): Pre?approved contract clauses that provide adequate safeguards for transfers to third countries lacking an adequacy decision. Example: The retailer’s cloud provider in the US signs SCCs to legitimize the payroll data transfer.
• Article?28 Processor Obligations: Processors must act only on the controller’s documented instructions and maintain a record of processing activities. Example: A marketing agency processing EU customer lists must have a written contract specifying the lawful basis.
• Right to Object (Art.?21 GDPR): Data subjects can object to processing based on legitimate interest or direct marketing. Example: A consumer tells a retailer to stop profiling for personalised offers; the retailer must halt that activity unless it proves compelling reasons.

Step?by?Step / Process Flow

1. Map the Data Activity – Identify what personal data is collected, why, how it will be used, and where it will be stored or transferred.
2. Select the Appropriate Lawful Basis – Match the purpose to one of the six GDPR bases (Consent, Contract, Legal Obligation, Vital Interests, Public Task, Legitimate Interest).
3. Document the Decision – Record the chosen basis, the supporting facts, and, for legitimate interest, complete an LIA (including balancing test).
4. Implement Transparency Measures – Update privacy notices, consent UI, or contractual clauses to reflect the lawful basis and provide clear rights information.
5. Apply Safeguards for Transfers – If data leaves the EEA, attach SCCs, Binding Corporate Rules, or verify an adequacy decision; ensure the transfer aligns with the chosen basis.
6. Review & Refresh Annually – Re?assess the lawful basis whenever the purpose changes, a new regulation emerges, or a significant data?subject request is received.

Common Mistakes

CIPP Exam Insights

1. “Opt?in vs. Opt?out” – The exam loves to ask which basis requires explicit opt?in (Consent) and which permits opt?out (Legitimate Interest). Remember: Consent = opt?in; Legitimate Interest = opt?out with right?to?object.
2. “Targeting” Test (Art.?3 GDPR) – A non?EU controller can be in scope if it offers goods/services to EU residents or monitors their behaviour, even without a physical EU presence.
3. “Hierarchy of Bases” – There is no hierarchy; the controller must pick the most appropriate basis. The exam may present a scenario where multiple bases could apply; choose the one that best fits the factual purpose (e.g., contract over consent when the activity is mandatory).
4. “Processor vs. Controller” – Processors cannot rely on their own lawful basis; they must follow the controller’s documented instructions. Expect a question contrasting Art.?28 obligations with Art.?6 bases.

Quick Check Questions

1. Scenario: A German SaaS provider wants to send a monthly newsletter to EU customers who have never purchased anything. Which lawful basis is appropriate?
   Answer: Consent (Art.?6(1)(a)).
   Explanation: The newsletter is a direct?marketing activity not required for a contract; therefore, an opt?in consent is needed.

2. Scenario: An EU?based hospital shares a patient’s medical record with a specialist in another EU country for emergency treatment. Which basis applies?
   Answer: Vital Interests (Art.?6(1)(d)).
   Explanation: The processing is necessary to protect the patient’s life; consent is not required in an emergency.

3. Scenario: A UK e?commerce site uses cookies to remember a shopper’s cart contents for 30?days. The site also profiles the shopper for personalised offers. Which basis covers the profiling?
   Answer: Legitimate Interest (Art.?6(1)(f)) – provided a proper LIA is performed and the shopper is given an easy right?to?object.

Last?Minute Cram Sheet (10 One?Liners)

1. Art.?6(1) GDPR – Six lawful bases; Consent is the only one that must be opt?in.
2. Art.?7(2) GDPR – Consent can be withdrawn as easily as it was given; the controller must stop processing immediately.
3. Art.?3 GDPR – “Targeting” includes monitoring online behaviour of EU residents, even if the site is hosted abroad.
4. Art.?21 GDPR – Data subjects may object to legitimate?interest processing; the controller must cease unless compelling reasons exist.
5. Art.?28 GDPR – Processors cannot decide the lawful basis; they must follow the controller’s documented instructions.
6. Legitimate?Interest Assessment (LIA) – Must contain (i) purpose test, (ii) necessity test, (iii) balancing test.
7. SCCs (Commission Decision 2021/914) – The only EU?approved tool for transfers to the US after Schrems?II, unless an adequacy decision exists.
8. Art.?35 DPIA – Triggered by large?scale profiling, systematic monitoring, or processing of special categories.
9. Fine ceiling – Up to €20?million or 4?% of global turnover, whichever is higher.
10. Right to Data Portability (Art.?20 GDPR) – Applies only when processing is based on consent or contract and is automated.

Good luck – you’ve got the core concepts, the exam traps, and the practical steps you need to ace the CIPP/E!