Controllers should decide the legal basis that they will use for processing before starting it, document their decision privacy notice (along with the purposes) and include the reasons why they have made such choices (see the “Accountability” section in the “Principles” chapter). In principle, they should select the legal basis that most closely reflects the true nature of their relationship with the individual and the purpose of the processing. This decision is key, since changing the legal basis for processing is not possible if there are not solid reasons that justify it (see the “Purpose limitation” section in the “Principles” chapter).
In principle, consent is one of the most common legal grounds for processing. However, it involves certain risks. Namely, consent is always specific to specific purposes. Therefore, ‘widening’ the purposes of processing beyond data subjects’ explicit consent shall be rendered unlawful processing. In order to determinate whether further processing is compatible or not with the original processing controllers should make use of the criteria included in Article 6(4) of the GDPR (see the “When are purposes compatible?” subsection in the “Purpose limitation” section). As mentioned, processing for scientific or historical research purposes or statistical purposes shall not be considered incompatible with the initial purposes (see the “Data protection and scientific research” section in the “Concepts” section).
The most common alternative grounds for processing data in AI are legitimate interests, performance of contract and legal obligation or vital interest. All of them involve specific characteristics that must be carefully analyzed.