Q: I have identified multiple legal grounds for processing the same set of data. Which legal basis for processing should I choose?
A: You only require one lawful basis in order to carry out the processing in accordance with GDPR.
You should consider which legal basis may provide conditions for processing which are reliable, and most in-line with your business objectives.
Consider the extent and limitations of certain lawful grounds.
Consider also the additional workload and burden of proof which may be necessary for establishing certain legal grounds (eg: demonstrating a legitimate interest).
Article 6(1), GDPR
In some situations, it may in fact be a disadvantage to seek out additional grounds for processing, when one legal basis is already known.
Consider, for example, attempting to gain consents and facing refusal or withdrawal, when an existing contractual obligation was already in place.
See this previous response to a customer’s GDPR Frequently Asked Question, for more information.