GDPR Lawful Basis: Selection, Documentation and Application in Web Analytics
GDPR requires every processing of personal data to have a lawful basis under Article 6. Without one, the processing is unlawful. In web analytics, the basis you pick shapes what data you can collect, what rights users hold, and what obligations you carry.
Six Lawful Bases
Article 6(1) GDPR sets six lawful bases. At least one must apply to any processing.
a) Consent
Definition. The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
Key traits:
- Freely given, specific, informed and unambiguous
- Requires positive action (opt-in)
- Withdrawable at any time
- Not a condition for service if processing is not necessary
Use in analytics:
- Tracking cookies for detailed profiling
- Personalization based on behavior
- Marketing automation integrations
- Sharing data with third-party analytics
Valid Consent Requirements
Four pillars under GDPR:
- Freely given. Real choice, no coercion.
- Specific. Tied to particular purposes.
- Informed. User understands what they accept.
- Unambiguous. Clear affirmative action.
b) Contract
Definition. Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
Key traits:
- Must be objectively necessary for the contract
- Cannot extend to unrelated processing
- Covers concluded and prospective contracts
Use in analytics:
- Delivering paid analytics services
- Billing and financial reporting
- Account security
- Technical support
c) Legal Obligation
Definition. Processing is necessary for compliance with a legal obligation to which the controller is subject.
Key traits:
- Obligation must come from EU or Member State law
- Excludes contractual obligations
- Usually regulatory in nature
Use in analytics:
- Tax record retention
- Law enforcement disclosures
- Industry compliance
- Audit trails for financial regulation
d) Vital Interests
Definition. Processing is necessary in order to protect the vital interests of the data subject or of another natural person.
Key traits:
- Limited to life-or-health emergencies
- Used rarely, only when other bases fail
- Requires evidence of real threat
Use in analytics:
- Cyberattack defense
- Emergency medical disclosures
- Critical infrastructure security
- Fraud threats to financial safety
e) Public Task
Definition. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Key traits:
- Mostly for government bodies
- Task needs a clear legal basis
- Rare for private companies
Use in analytics:
- Government sites measuring service use
- Educational institutions studying online learning
- Public-interest medical research
- Urban planning analysis
f) Legitimate Interests
Definition. Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.
Key traits:
- Most flexible basis
- Requires a Legitimate Interest Assessment (LIA)
- Subjects can object
- Limited use for children
Use in analytics:
- Behavioral analysis to improve a site
- Fraud prevention and security
- Direct marketing (with right to object)
- Network and information security
graph TD
A[Need to process personal data] --> B{Is there a legal obligation?}
B -->|Yes| C[Legal obligation]
B -->|No| D{Necessary for contract?}
D -->|Yes| E[Contract]
D -->|No| F{Vital situation?}
F -->|Yes| G[Vital interests]
F -->|No| H{Public task?}
H -->|Yes| I[Public task]
H -->|No| J{Can justify legitimate interest?}
J -->|Yes| K[Legitimate interests]
J -->|No| L[Consent]
K --> M[Conduct LIA test]
M --> N{Balance favors organization?}
N -->|No| L
N -->|Yes| O[Use legitimate interests]Picking a Basis
Selection Criteria
Match the basis to the user relationship.
Typical bases:
- Consent for marketing tracking
- Legitimate interests for basic site analytics
- Contract for users with accounts
Notes:
- High transparency expectations
- Simple consent UX matters
- Balance personalization and privacy
Typical bases:
- Contract for paid analytics services
- Legitimate interests for product improvement
- Consent for additional marketing
Notes:
- Complex contractual relationships
- Detailed analytics for business use
- Professional context
Typical bases:
- Public task for delivering services
- Legal obligation for regulatory compliance
- Legitimate interests for service improvement
Notes:
- Public accountability for protection
- Service efficiency vs privacy
- Special transparency duties
Processing Type to Basis
| Processing Type | Recommended Basis | Alternatives |
|---|---|---|
| Basic web analytics | Legitimate interests | Consent |
| Marketing cookies | Consent | - |
| Fraud prevention | Legitimate interests | Vital interests |
| Billing and invoicing | Contract | Legal obligation |
| Content personalization | Consent | Legitimate interests |
| A/B testing | Legitimate interests | Consent |
| Security monitoring | Legitimate interests | Vital interests |
Documenting the Basis
Required Documentation
Record of Processing Activities (ROPA). For each activity, record:
- Description and purpose
- Selected lawful basis
- Justification
- Data subject categories and data categories
- Recipients
- Retention periods
- Technical and organizational safeguards
ROPA entry example:
Processing: User behavior web analytics
Purpose: Improving user experience and content optimization
Lawful Basis: Legitimate interests (Article 6(1)(f))
Justification: User behavior analysis is necessary for improving
site functionality and represents a legitimate interest of the organization.
User interests are protected through IP address anonymization and
limited data retention periods.
Legitimate Interest Assessment (LIA)
A three-step test.
Questions:
- What specific interest are we pursuing?
- Is it legitimate?
- Is it real and current?
- Can it be clearly stated?
Examples for analytics:
- Improving site performance
- Fraud prevention
- Network security
- Content effectiveness
Criteria:
- Is processing needed to achieve the interest?
- Are less intrusive options available?
- Is processing proportionate?
Alternatives to consider:
- Anonymous data instead of personal data
- Aggregated metrics instead of individual tracking
- Opt-in instead of automatic collection
For processing:
- Reasonable user expectations
- Minimal intrusion
- Transparent processing
- Safeguards in place
For protection:
- Data sensitivity
- Potential impact on user
- Subject vulnerability
- Risks to rights and freedoms
LIA Example for Web Analytics
Interest. Site performance optimization to improve UX.
Necessity: - Page-load timing data is needed to find issues - Server logs lack client-side experience signals - Volume collected is minimal and proportionate
Balance: - Benefit: site improvements meet user expectations - Risks: minimal, only technical data collected - Safeguards: IP anonymized, retention 6 months
Conclusion. Legitimate interest justified, balance favors processing.
Consent Management
Valid Consent
Principles:
- Separate consent per purpose
- Partial consent allowed
- Independent toggles per cookie type
UI:
Cookie banners:
- Clear cookie type info
- Equal "Accept" and "Reject" buttons
- Preference controls
- Link to full privacy policy
Defaults:
- No pre-checked boxes
- No cookies before consent
- Neutral defaults
Required:
- Simple way to withdraw
- As easy as giving consent
- Immediate processing stop
- Core functionality preserved
Consent Management Platforms (CMP)
CMP responsibilities:
- Collect and store consents
- Integrate with analytics systems
- Block cookies until consent given
- Centralize privacy settings
- Maintain audit trail
Technical example:
// Example consent check before initializing tracking
if (cmp.hasConsent('analytics')) {
initializeAnalytics();
}
if (cmp.hasConsent('marketing')) {
loadMarketingPixels();
}
Changing the Basis
When Allowed
Permitted:
- Business model or relationship change
- New legal obligations
- LIA balance shifts
- Additional consent for expanded processing
Not permitted:
- Switching from consent to legitimate interests after withdrawal
- Using contract for unrelated processing
- Moving to less transparent bases without notice
Change Procedures
Required steps:
- Update privacy policy
- Notify users
- Reassess technical and organizational measures
- Update rights-handling procedures
- Document the change
Lawful basis selection is core to GDPR compliance in analytics. It demands clear understanding of business processes, technical reality, and the legal nuance of each basis. Plan proactively. Pick the basis that protects rights without breaking utility.
We integrate basis selection into our analytics architecture. Statable supports per-purpose configuration, built-in LIA tooling, and automated consent management.
About AI participation in writing articles
This article, like many others on our site, was created, written and proofread by a team of developers. Of course, not without the participation of AI assistants. We don't hide this and believe that modern systems are already quite good at handling simple tasks and, relatively speaking, writing an article about Viewport yourself is quite strange. It won't come out significantly better and will take a lot of time. But providing basic understanding to beginner webmasters is necessary. Of course, after the article is written by assistants - there's always proofreading, and this is where not one or two people participate, and only after that the article is published.
Need help selecting lawful bases for analytics?
Register for free testing of our web analytics platform. Get built-in lawful basis management tools, automated legitimate interest assessment, and flexible consent management systems for full GDPR compliance.
Ready to take control of your web analytics? Try Statable free for 30 days — no credit card required, full feature access, GDPR-compliant by default. Start your free trial or view a live demo.