What does control A.1.2.3 require?
The organisation shall determine, document and be able to demonstrate compliance with the relevant lawful basis for the processing of PII for the identified purposes.
This control sits within the Conditions for collection and processing objective (A.1.2), which aims to demonstrate that processing is lawful, with a legal basis per applicable jurisdictions, and with clearly defined and legitimate purposes. While A.1.2.2 Identify and Document Purpose establishes what you are processing and why, A.1.2.3 establishes the legal ground that permits you to do so.
What does the implementation guidance say?
Annex B (section B.1.2.3) provides the following guidance:
- Some jurisdictions require the lawful basis to be established before processing begins — organisations should not assume they can retrospectively assign a legal ground
- The standard recognises six common categories of lawful basis, although applicable legislation may define them differently:
- Consent of the PII principal
- Performance of a contract to which the PII principal is party
- Compliance with a legal obligation to which the controller is subject
- Vital interests of the PII principal or another natural person
- Public interest or exercise of official authority
- Legitimate interests pursued by the controller or a third party
- See also A.1.2.7: Contracts with PII Processors for related requirements
- See also A.1.2.8: Joint PII Controller for related requirements
- Where special categories of PII are processed (e.g. health data, biometric data, racial or ethnic origin), additional legal bases may be required — such as explicit consent, necessity for employment law obligations, protection of vital interests, or processing by a not-for-profit body
- The organisation must be able to demonstrate that the chosen basis is appropriate — mere assertion is not sufficient
How does this map to GDPR?
Control A.1.2.3 maps to a substantial set of GDPR provisions:
- Article 5(1)(a) — The principle of lawfulness, fairness and transparency
- Article 6(1)–(4) — The six lawful bases for processing, plus the compatibility test for further processing
- Article 8 — Conditions applicable to child’s consent in relation to information society services
- Article 9 — Processing of special categories of personal data
- Article 10 — Processing of data relating to criminal convictions and offences
- Article 17 — Right to erasure (linked because erasure rights depend on the lawful basis relied upon)
- Article 18 — Right to restriction of processing
- Article 22 — Automated individual decision-making, including profiling
The breadth of this mapping reflects the fact that lawful basis selection has downstream consequences across almost every GDPR obligation — from data subject rights to retention periods.
How does this relate to ISO 29100 privacy principles?
This control supports the Purpose legitimacy and specification principle in ISO 29100. This principle requires that the purpose for processing PII be compliant with applicable law and relies on a permissible legal basis. A.1.2.3 is the operational mechanism for satisfying this principle — it turns the abstract requirement into documented, demonstrable compliance.
Start your free trial
Want to explore?
Sign up for your free trial today and get hands on with all the compliance features that ISMS.online has to offer
What evidence do auditors expect?
When assessing compliance with A.1.2.3, auditors will typically look for:
- Lawful basis register — A documented mapping of each processing activity to its lawful basis, ideally cross-referenced with the purpose register from A.1.2.2 Identify and Document Purpose
- Legitimate interests assessments (LIAs) — Where legitimate interests is relied upon, documented balancing tests showing the organisation’s interests were weighed against the rights of PII principals
- Special category justifications — Separate documented rationale for any processing of sensitive PII, citing the additional legal ground relied upon
- Legal review records — Evidence that legal advice was sought or internal review was conducted when selecting the lawful basis, particularly for complex or high-risk processing
- Timing evidence — That the lawful basis was determined before processing began, not documented retrospectively
- Communication to PII principals — That the lawful basis is stated in privacy notices and other information provided to individuals
What are the related controls?
| Control | Relationship |
|---|---|
| A.1.2.2 Identify and document purpose | Purposes must be established first — lawful basis is determined for each purpose |
| A.1.2.4 Determine consent | If consent is the lawful basis, the consent process must be formally defined |
| A.1.2.5 Obtain and record consent | Operational implementation of consent where it is the chosen legal ground |
| A.1.2.6 Privacy impact assessment | PIAs assess processing against the documented lawful basis and purposes |
| A.1.3.3 Information for PII principals | The lawful basis must be communicated to PII principals |
| A.1.4.3 Limit processing | Processing must be limited to what the lawful basis permits |
What changed from ISO 27701:2019?
For a step-by-step approach, see the Transition from 2019 to 2025.
In the 2019 edition, this requirement appeared as part of Clause 7.2.2 (identify lawful basis). The control intent is substantively unchanged in the 2025 edition, but the restructuring into Table A.1 now provides a clearer separation between the normative control statement (A.1.2.3) and the normative implementation guidance (B.1.2.3). The emphasis on demonstrability — not just determining the basis but being able to prove compliance with it — has been retained and arguably strengthened by the clearer structure. See the Annex F correspondence table for the full mapping.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Why choose ISMS.online for managing lawful basis documentation?
ISMS.online gives you the tools to document, track and demonstrate your lawful bases with confidence:
- Lawful basis mapping — Link each processing activity to its legal ground in a structured register that auditors can review at a glance
- Legitimate interests assessment templates — Pre-built LIA templates guide you through the balancing test with prompts and scoring, so nothing is missed
- Special category flags — Automatically flag processing activities involving sensitive PII and prompt for the additional legal basis required
- Version-controlled evidence — Every change to your lawful basis documentation is timestamped, creating an audit trail that proves when decisions were made
- Integrated privacy notices — Link your lawful basis records directly to the privacy notices that communicate them to PII principals
- Cross-framework mapping — See how your lawful basis documentation satisfies ISO 27701, GDPR and other frameworks simultaneously
FAQs
Can we change our lawful basis after processing has started?
Switching lawful basis retrospectively is generally problematic. Most privacy frameworks expect the legal ground to be determined before processing begins. If circumstances change, you should document the rationale for any change, notify PII principals where appropriate, and consider whether existing data must be re-processed under the new basis or deleted. The key requirement is demonstrability — you must be able to show that the basis was valid at the time of processing.
How does lawful basis affect data subject rights?
The lawful basis you rely on directly determines which data subject rights apply. For example, under GDPR, the right to data portability only applies when processing is based on consent or contract performance. The right to object applies specifically to processing based on legitimate interests or public interest. This is why selecting the correct lawful basis at the outset is critical — it shapes your ongoing obligations throughout the data lifecycle.
What if multiple lawful bases could apply to the same processing?
You should identify and document the primary lawful basis you are relying on for each processing activity. While more than one basis may theoretically apply, selecting a single primary basis provides clarity for PII principals and simplifies compliance management. Relying on multiple bases simultaneously can create confusion — particularly if one basis (such as consent) is later withdrawn and you attempt to fall back on another.
