--- title: "EU GDPR Lawful Basis and LIA Workflow for Article 6(1)(f)" canonical_url: "https://www.sorena.io/artifacts/eu/general-data-protection-regulation/lawful-basis-and-lia-workflow" source_url: "https://www.sorena.io/artifacts/eu/general-data-protection-regulation/lawful-basis-and-lia-workflow" author: "Sorena AI" description: "Assess GDPR legitimate interests with a purpose, necessity, balancing, Article 21 objection, and evidence-record workflow grounded in Article 6(1)(f)." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "EU GDPR" - "GDPR" - "Article 6(1)(f)" - "legitimate interests assessment" - "LIA" - "lawful basis" - "Article 21 objection" - "RoPA" - "legitimate interests" - "Article 21" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # EU GDPR Lawful Basis and LIA Workflow for Article 6(1)(f) Assess GDPR legitimate interests with a purpose, necessity, balancing, Article 21 objection, and evidence-record workflow grounded in Article 6(1)(f). *Artifact Guide* *EU* ## EU GDPR Lawful Basis and LIA Workflow Assess whether Article 6(1)(f) can support a processing activity by recording the legitimate interest, necessity analysis, balancing outcome, and objection handling. Use this workflow to keep privacy notices, RoPA entries, approvals, and reassessment triggers aligned with GDPR Articles 5, 6, 13, 14, 21, and 30. This workflow is for GDPR processing activities where a controller wants to rely on legitimate interests under Article 6(1)(f). The record should show the specific purpose, why the processing is necessary for that purpose, whether the controller or third-party interest is overridden by data-subject interests or rights, and how Article 21 objections will be handled. ## Start with the processing purpose and candidate lawful basis Create one LIA record per processing purpose, not one record for an entire product, department, or data platform. Article 5 requires specified, explicit, and legitimate purposes, and Article 6 requires at least one lawful basis for the processing. Record the candidate Article 6 basis before controls are designed. If the activity depends on consent, contract, legal obligation, vital interests, public task, or special-category processing rules, do not force it into Article 6(1)(f); use this workflow only for the legitimate-interests candidate and document why other Article 6 bases were not selected. - Processing activity: name the feature, operation, recipient, system, and data flow being assessed. - Purpose statement: describe the exact business or third-party interest and avoid vague labels such as analytics, security, or improvement without the concrete objective. - Data scope: list data-subject categories, personal-data categories, recipients, transfers, retention criteria, and security measures needed for the Article 30 record. - Lawful-basis check: confirm that Article 6(1)(f) is legally available for this controller and processing context before starting the balancing stage. - Transparency check: identify where Articles 13 or 14 notices will disclose the lawful basis, legitimate interest pursued, and Article 21 objection right. Sources for this answer: - [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Binding GDPR text for Article 5 principles, Article 6(1)(f) legitimate interests, Article 21 objection rights, and Article 30 processing records. - [Data Protection Commission - Guidance on Legal Bases for Processing Personal Data](https://www.dataprotection.ie/en/dpc-guidance/guidance-legal-bases-processing-personal-data?ref=sorena.io) - DPC guidance frames legal-basis selection as the controller question of the reason or justification for processing and lists legitimate interests as one Article 6 basis. - [Data Protection Commission - Records of Processing Activities under Article 30 GDPR](https://www.dataprotection.ie/sites/default/files/uploads/2023-04/Records%20of%20Processing%20Activities%20%28RoPA%29%20under%20Article%2030%20GDPR.pdf?ref=sorena.io) - DPC RoPA guidance supports keeping purposes, categories, recipients, transfers, erasure limits, security measures, and Article 6 legal basis evidence in processing records. ## Run the LIA in three decisions: purpose, necessity, balancing The Article 6(1)(f) test should be written as three separate decisions. A valid interest alone is not enough; the processing must be necessary for that interest and must not be overridden by the data subject interests or fundamental rights and freedoms that require protection of personal data. Keep the necessity analysis factual. Describe the minimum data, retention, recipients, automation, and access needed to meet the stated purpose, then identify any less intrusive alternatives that were accepted or rejected. - Purpose decision: state the controller or third-party legitimate interest and the evidence showing the interest is real, current, and connected to the processing. - Necessity decision: explain why each data category, recipient, retention period, and processing step is adequate, relevant, and limited to what is necessary for the purpose. - Balancing decision: assess expected impact on data subjects, reasonable expectations, vulnerability such as children, profiling or monitoring, and safeguards that reduce risk. - Outcome options: approve Article 6(1)(f), approve only with safeguards, change the processing, select a different lawful basis, or stop the activity. - Approval evidence: capture the approver, decision date, source citations, unresolved risks, safeguards, and next reassessment trigger. Sources for this answer: - [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Binding GDPR text for Article 5 principles, Article 6(1)(f) legitimate interests, Article 21 objection rights, and Article 30 processing records. ## Connect the LIA to Article 21 objection handling Article 21 gives data subjects the right to object, on grounds relating to their particular situation, to processing based on Article 6(1)(e) or Article 6(1)(f), including profiling based on those provisions. The LIA should therefore include the operational path for receiving, triaging, and deciding objections before the processing goes live. For Article 6(1)(f) processing, the controller must stop processing after an objection unless it can demonstrate compelling legitimate grounds that override the data subject interests, rights, and freedoms, or the processing is needed for legal claims. Direct marketing objections require a separate stop path because Article 21 says the personal data must no longer be processed for that purpose. - Notice link: show where the Article 21 right is brought to the data subject attention clearly and separately from other information. - Intake fields: record the data subject, processing activity, objection grounds, affected data, systems, recipients, and whether profiling or direct marketing is involved. - Decision rule: pause or restrict disputed processing while checking whether compelling legitimate grounds or legal-claims grounds are being asserted. - System controls: map suppression, deletion, restriction, recipient notification, and audit-log steps needed to implement the objection outcome. - LIA update: reopen the balancing record when objections reveal new impact, unexpected use, weak transparency, or safeguards that do not work in practice. Sources for this answer: - [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Binding GDPR text for Article 5 principles, Article 6(1)(f) legitimate interests, Article 21 objection rights, and Article 30 processing records. ## Evidence record for audit, notices, and RoPA updates Treat the LIA as a live evidence record tied to the RoPA and privacy notice. Article 30 records require the purposes of processing, data-subject and personal-data categories, recipients, transfers, erasure time limits where possible, and security measures where possible; DPC guidance also identifies Article 6 legal basis as a helpful extra field. The evidence should let a reviewer see the chain from Article 6(1)(f) to implementation: purpose, necessity, balancing, safeguards, notice text, objection handling, and owner approval. Avoid storing only a final yes or no outcome without the facts that made the decision supportable. - LIA fields: processing ID, purpose, interest owner, data owner, privacy/legal approver, source citations, decision status, safeguards, and review trigger. - RoPA fields: Article 6 basis, purpose, categories of data subjects and personal data, recipients, third-country transfer details, erasure criteria, and security controls. - Notice fields: lawful basis, specific legitimate interest, rights summary, and the Article 21 objection channel. - Change triggers: new purpose, new data category, new recipient, new profiling or monitoring, changed retention, child or vulnerable-user impact, transfer change, or recurring objections. - Evidence storage: keep the LIA, privacy notice excerpt, RoPA row, approval, implemented safeguards, and objection decisions together or cross-referenced by processing ID. Sources for this answer: - [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Binding GDPR text for Article 5 principles, Article 6(1)(f) legitimate interests, Article 21 objection rights, and Article 30 processing records. - [Data Protection Commission - Records of Processing Activities under Article 30 GDPR](https://www.dataprotection.ie/sites/default/files/uploads/2023-04/Records%20of%20Processing%20Activities%20%28RoPA%29%20under%20Article%2030%20GDPR.pdf?ref=sorena.io) - DPC RoPA guidance supports keeping purposes, categories, recipients, transfers, erasure limits, security measures, and Article 6 legal basis evidence in processing records. *Recommended next step* *Placement: before sources* ## Use this EU GDPR workflow to structure legitimate-interests assessments Sorena can help convert lawful-basis decisions into LIA records, RoPA fields, privacy-notice language, objection-handling steps, and reassessment triggers grounded in the cited GDPR sources. - [Open Research Copilot for EU GDPR](/solutions/research-copilot.md): Ask source-linked questions about Article 6(1)(f), Article 21 objections, transparency, and RoPA evidence using the cited sources on this page. - [Talk through implementation](/contact.md): Review your lawful-basis inventory, LIA evidence gaps, and objection-handling workflow with Sorena. ## Primary sources - [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Binding GDPR text for Article 5 principles, Article 6(1)(f) legitimate interests, Article 21 objection rights, and Article 30 processing records. - Quote: "processing is necessary for the purposes of the legitimate interests" - [Data Protection Commission - Guidance on Legal Bases for Processing Personal Data](https://www.dataprotection.ie/en/dpc-guidance/guidance-legal-bases-processing-personal-data?ref=sorena.io) - DPC guidance frames legal-basis selection as the controller question of the reason or justification for processing and lists legitimate interests as one Article 6 basis. - Quote: "What is my reason or justification for processing this personal data?" - [Data Protection Commission - Records of Processing Activities under Article 30 GDPR](https://www.dataprotection.ie/sites/default/files/uploads/2023-04/Records%20of%20Processing%20Activities%20%28RoPA%29%20under%20Article%2030%20GDPR.pdf?ref=sorena.io) - DPC RoPA guidance supports keeping purposes, categories, recipients, transfers, erasure limits, security measures, and Article 6 legal basis evidence in processing records. - Quote: "The Article 6 legal basis for processing" ## Related Topic Guides - [Does the EU GDPR apply outside the EU under Article 3?](/artifacts/eu/general-data-protection-regulation/faq/territorial-scope.md): A grounded GDPR Article 3 territorial-scope FAQ covering EU establishment, offering goods or services, monitoring behavior in the EU, and Article 27 representatives. - [EU GDPR Applicability Test for Products, Vendors, and Data Flows](/artifacts/eu/general-data-protection-regulation/applicability-test.md): A concrete GDPR scope test for personal data, controller and processor roles, EU establishment, EU targeting or monitoring, special-category and child data, transfers, vendors, and evidence. - [EU GDPR Article 30 RoPA Intake Workflow](/artifacts/eu/general-data-protection-regulation/ropa-intake-workflow.md): Use this GDPR Article 30 RoPA intake workflow to capture controller and processor fields, owners, transfers, retention, security measures, and evidence before a processing activity goes live. - [EU GDPR Article 6 Legal Bases FAQ](/artifacts/eu/general-data-protection-regulation/faq/legal-bases.md): FAQ on the six Article 6 GDPR lawful bases, consent caveats, legitimate interests, public-task and legal-obligation limits, and Article 9 special-category data. - [EU GDPR Automated Decision-Making and Profiling: Article 22 Scope, Safeguards, and Evidence](/artifacts/eu/general-data-protection-regulation/automated-decision-making-and-profiling.md): source-linked GDPR guide for automated decision-making and profiling: Article 22 scope, profiling definition, transparency, lawful basis, DPIA triggers, human review rights, and evidence. - [EU GDPR Breach Notification 72 Hours: Article 33 and 34 workflow](/artifacts/eu/general-data-protection-regulation/breach-notification-72-hours.md): Source-grounded EU GDPR breach notification workflow covering awareness, 72-hour supervisory authority notices, processor escalation, high-risk data-subject communication, delay reasons, and evidence logs. - [EU GDPR Breach Notification Workflow: 72-hour clock, risk assessment, and records](/artifacts/eu/general-data-protection-regulation/breach-notification-workflow.md): A concrete EU GDPR breach notification workflow for detecting and triaging incidents, starting the awareness clock, assessing risk, notifying authorities or data subjects, and keeping Article 33 records. - [EU GDPR Checklist: scope, lawful basis, DSARs, DPIA, RoPA, transfers](/artifacts/eu/general-data-protection-regulation/checklist.md): Use this GDPR checklist to review scope, lawful basis, notices, DSAR handling, DPIAs, RoPA, processor contracts, SCC transfers, breach notification, retention, security, and evidence. - [EU GDPR Children and Special-Category Data Guide](/artifacts/eu/general-data-protection-regulation/children-and-special-categories.md): source-linked GDPR guide for Article 8 children's consent, Article 9 special-category data, DPIA triggers, transparency, safeguards, and evidence records. - [EU GDPR Compliance Checklist: scope, rights, DPIA, RoPA, transfers](/artifacts/eu/general-data-protection-regulation/compliance.md): Practical EU GDPR compliance guide for mapping scope, lawful basis, notices, data-subject rights, DPIAs, RoPA, processor terms, breaches, transfers, retention, security, and penalties. - [EU GDPR Controller, Processor, and Joint Controller Roles](/artifacts/eu/general-data-protection-regulation/controller-processor-and-joint-controller-roles.md): source-linked GDPR guide for classifying controllers, processors, and joint controllers, with Article 28 contract checks, Article 26 transparency, and vendor evidence. - [EU GDPR Data Subject Rights and DSAR Workflow](/artifacts/eu/general-data-protection-regulation/data-subject-rights-and-dsar-workflow.md): source-linked GDPR DSAR workflow for intake, identity checks, request scope, the one-month response clock, extensions, refusals, processor escalation, and evidence. - [EU GDPR deadlines and compliance calendar](/artifacts/eu/general-data-protection-regulation/deadlines-and-compliance-calendar.md): source-linked GDPR calendar entries for applicability, DSAR response timing, breach notification, DPIA review, prior consultation, transfer reviews, and retention checks. - [EU GDPR DPIA and Prior Consultation Workflow](/artifacts/eu/general-data-protection-regulation/dpia-and-prior-consultation-workflow.md): Screen high-risk processing, run a GDPR Article 35 DPIA, record mitigation, and identify when Article 36 prior consultation is required. - [EU GDPR DPIA and risk management under Articles 35 and 36](/artifacts/eu/general-data-protection-regulation/dpia-and-risk-management.md): EU GDPR DPIA guide covering Article 35 triggers and contents, CNIL and DPC PIA methods, residual risk, mitigation records, and prior consultation limits. - [EU GDPR DSAR Exceptions: refusal, extensions, identity checks](/artifacts/eu/general-data-protection-regulation/faq/dsar-exceptions.md): FAQ on when EU GDPR controllers may extend, charge for, narrow, redact, or refuse a data subject access request under Articles 12 and 15. - [EU GDPR DSAR Workflow: Intake, Clock, Rights, and Evidence](/artifacts/eu/general-data-protection-regulation/dsar-workflow.md): Run a GDPR DSAR workflow for intake, identity checks, rights scoping, one-month response timing, extensions, refusals, processor handoffs, and evidence records. - [EU GDPR FAQ: scope, lawful basis, rights, DPIA, breaches, transfers](/artifacts/eu/general-data-protection-regulation/faq.md): Direct EU GDPR FAQ answers on scope, controller and processor roles, lawful basis, data subject rights, DPIAs, breach notification, international transfers, and Article 83 fine tiers. - [EU GDPR International Transfers and SCCs: Chapter V evidence guide](/artifacts/eu/general-data-protection-regulation/international-transfers-and-sccs.md): source-linked guide to GDPR Chapter V transfers, adequacy decisions, SCCs, transfer impact assessments, supplementary measures, and EU-US DPF checks. - [EU GDPR Lawful Basis and Consent Guide](/artifacts/eu/general-data-protection-regulation/lawful-basis-and-consent.md): Focused GDPR guide to Article 6 lawful bases, consent conditions, legitimate interests, special category data, withdrawal, and evidence records. - [EU GDPR Lead Supervisory Authority and One-Stop-Shop](/artifacts/eu/general-data-protection-regulation/lead-authority-and-one-stop-shop.md): How GDPR main establishment, cross-border processing, Article 56 lead authority competence, and Article 60 cooperation fit together. - [EU GDPR LIA Template for Article 6(1)(f)](/artifacts/eu/general-data-protection-regulation/lia-template.md): Use this EU GDPR legitimate interests assessment template to document Article 6(1)(f) purpose, necessity, balancing, safeguards, objection rights, and evidence. - [EU GDPR penalties and fines: Article 83 tiers and evidence](/artifacts/eu/general-data-protection-regulation/penalties-and-fines.md): EU GDPR penalties and fines guide covering Article 83 fine tiers, assessment factors, Article 58 powers, and evidence records for controllers and processors. - [EU GDPR Processor Contracts and Vendor Management | Article 28 Evidence Guide](/artifacts/eu/general-data-protection-regulation/processor-contracts-and-vendor-management.md): EU GDPR Article 28 guide for processor contracts, sub-processor controls, controller-processor role boundaries, vendor evidence, and SCC transfer clauses where applicable. - [EU GDPR Record of Processing Activities Template: Article 30 RoPA Fields](/artifacts/eu/general-data-protection-regulation/record-of-processing-activities-template.md): Build a GDPR Article 30 record of processing activities with separate controller and processor fields for purposes, data categories, recipients, transfers, erasure time limits, and security measures. - [EU GDPR Requirements: scope, rights, security, DPIA, RoPA, and transfers](/artifacts/eu/general-data-protection-regulation/requirements.md): Overview of core EU GDPR requirements covering scope, principles, lawful basis, notices, data-subject rights, processors, RoPA, security, breaches, DPIAs, and international transfers. - [EU GDPR Retention and Erasure Schedule](/artifacts/eu/general-data-protection-regulation/retention-and-erasure-schedule.md): Build an EU GDPR retention and erasure schedule around storage limitation, Article 17 erasure grounds, Article 12 rights handling, Article 19 recipient notices, and Article 30 RoPA fields. - [EU GDPR SCC Transfer Impact Assessment FAQ](/artifacts/eu/general-data-protection-regulation/faq/scc-transfer-impact-assessment.md): source-linked FAQ on when SCC transfer impact assessments are needed, what Clause 14 records, and when supplementary safeguards or transfer suspension are required. - [EU GDPR Transfer TIA and SCC Workflow](/artifacts/eu/general-data-protection-regulation/transfer-tia-and-scc-workflow.md): A GDPR workflow for checking adequacy, selecting SCC modules, documenting transfer impact assessments, and recording supplementary measures for third-country transfers. - [EU GDPR Transparency Notices: Articles 12, 13 and 14](/artifacts/eu/general-data-protection-regulation/transparency-notices.md): Source-grounded GDPR guide to privacy notices under Articles 12, 13 and 14: direct collection, third-party data sources, recipients, transfers, retention, rights, and lawful basis. - [EU GDPR vs Brazil LGPD: GDPR-led comparison and source gaps](/artifacts/eu/general-data-protection-regulation/gdpr-vs-lgpd.md): Compare EU GDPR duties with Brazil LGPD only where the available sources support the comparator, with GDPR rows for lawful basis, rights, breach, transfers, roles, and evidence. - [EU GDPR vs California CCPA: grounded GDPR comparison limits](/artifacts/eu/general-data-protection-regulation/gdpr-vs-ccpa.md): Compare GDPR implementation duties with source-limited California CCPA/CPRA context, showing where the available grounding supports a claim and where it does not. - [EU GDPR vs ePrivacy Directive: personal data, cookies, consent, and communications](/artifacts/eu/general-data-protection-regulation/gdpr-vs-eprivacy.md): Compare the EU GDPR and ePrivacy Directive for personal data processing, consent and lawful basis, cookies and terminal access, electronic communications, and parallel compliance. - [EU GDPR vs UK GDPR: source-limited compliance comparison](/artifacts/eu/general-data-protection-regulation/gdpr-vs-uk-gdpr.md): Compare EU GDPR obligations with source-limited UK GDPR transfer notes grounded in EU GDPR sources, covering scope, lawful basis, rights, accountability, records, DPIAs, security, and transfers. - [GDPR processor vs controller: role boundaries and evidence](/artifacts/eu/general-data-protection-regulation/faq/processor-vs-controller.md): Decide whether a party is a GDPR controller, processor, or joint controller using purpose-and-means tests, Article 28 terms, Article 26 arrangements, and Article 30 records. - [GDPR vs EU AI Act: privacy controls for AI systems](/artifacts/eu/general-data-protection-regulation/gdpr-vs-ai-act.md): Compare GDPR privacy duties with the EU AI Act only where the GDPR source pack supports the point: lawful basis, notices, DPIA, ADM, RoPA, rights, and source limits. - [GDPR vs EU Data Act: personal data safeguards and source limits](/artifacts/eu/general-data-protection-regulation/gdpr-vs-data-act.md): Compare GDPR obligations with the EU Data Act only where the available GDPR grounding supports the fact pattern, with clear safeguards for personal data, rights, transfers, and accountability. - [When does the EU GDPR require a DPIA?](/artifacts/eu/general-data-protection-regulation/faq/dpia-threshold.md): Answer the EU GDPR DPIA threshold question with Article 35 triggers, high-risk criteria, supervisory-authority list checks, and DPIA content requirements. - [When does the GDPR 72-hour breach notification clock start?](/artifacts/eu/general-data-protection-regulation/faq/breach-awareness-clock.md): GDPR breach-awareness FAQ covering the Article 33 clock, processor escalation, delayed or phased notifications, risk assessment, and records to keep. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/general-data-protection-regulation/lawful-basis-and-lia-workflow