Lawful Basis and Consent Enforcement

2. Summary

Lawful Basis and Consent Enforcement requires that every AI agent processing personal data does so only under a formally recorded, verified, and currently valid lawful basis — and that where the lawful basis is consent, the agent can demonstrate that consent was freely given, specific, informed, unambiguous, and has not been withdrawn. The dimension addresses a fundamental challenge created by autonomous AI agents: an agent operating at machine speed across thousands of data subjects can process personal data without any human confirming that a lawful basis exists for each processing activity. Without AG-059, an organisation may believe it has lawful basis because a human completed a privacy impact assessment at deployment time, but the agent's actual processing activities may have drifted far beyond what the assessment covered. AG-059 requires that lawful basis verification is structural — enforced at the infrastructure layer before any processing occurs — not assumed from a one-time assessment that may be months or years out of date.

3. Example

Scenario A — Consent Withdrawal Ignored Due to Propagation Failure: A customer-facing AI agent for a health insurance company processes claims and communicates with policyholders via email. A policyholder withdraws consent for marketing communications by clicking an unsubscribe link. The withdrawal is recorded in the marketing platform's preference centre but is not propagated to the AI agent's operational data store. The agent, which has access to policy, claims, and communication history, continues to include personalised wellness recommendations — which constitute marketing under GDPR Article 21 — in its claims correspondence for 7 months. During this period, the agent sends 43 communications containing marketing content to the policyholder. The policyholder complains to the ICO.

What went wrong: Consent status was stored in a single system (the marketing platform) and was not propagated to all systems that process personal data under the consent basis. The AI agent had no mechanism to verify current consent status before including marketing content. The agent's processing was lawful at deployment time but became unlawful when consent was withdrawn and the agent was not informed. Consequence: ICO investigation, potential fine of up to 4% of annual turnover under GDPR, reputational damage from publicised enforcement action, remediation cost of £340,000 to implement consent propagation infrastructure.

Scenario B — Lawful Basis Mismatch After Purpose Drift: An enterprise workflow agent is deployed to process employee expense reports. The lawful basis recorded in the data protection impact assessment is "legitimate interest" for the purpose of expense processing. Over 9 months, the agent's capabilities are expanded: it begins analysing expense patterns to identify policy violations, flagging employees who frequently claim the maximum allowable amount, and generating reports on travel patterns by department. These analytical activities constitute profiling under GDPR Article 4(4) and require a separate lawful basis — either explicit consent or a distinct legitimate interest assessment with balancing test. No updated assessment is performed. The works council discovers the profiling reports and files a complaint with the data protection authority.

What went wrong: The lawful basis was assessed once at deployment but never re-evaluated as the agent's processing activities expanded. The original legitimate interest assessment covered expense processing, not employee profiling. The organisation had no mechanism to detect that the agent's processing had exceeded the scope of the recorded lawful basis. Consequence: Data protection authority finding of unlawful profiling, order to delete all profiling outputs, €2.1 million fine, employee trust damage, works council demands for AI agent moratorium.

Scenario C — Consent Collected Without Meeting GDPR Requirements: A customer-facing AI chatbot for an e-commerce platform collects consent for personalised recommendations during onboarding. The consent mechanism is a pre-ticked checkbox with the text: "I agree to the terms of service and personalised recommendations." The chatbot begins processing browsing history, purchase history, and location data for recommendation purposes. Under GDPR Article 7, consent must be freely given (not bundled with terms of service), specific (not combined with other purposes), informed (the data subject must know what data will be processed), and unambiguous (not pre-ticked). The consent mechanism fails all four requirements. When the data protection authority audits, the organisation discovers that none of its 2.3 million consent records constitute valid consent under GDPR.

What went wrong: The agent relied on consent records that were technically present but legally invalid. No validation layer checked whether the consent mechanism met regulatory requirements. The consent was bundled (combined with terms of service), not specific (covered multiple processing activities), not informed (did not specify data categories), and not unambiguous (pre-ticked). Consequence: All 2.3 million consent records invalidated, order to cease processing and re-obtain consent, 78% drop in recommendation engine coverage during re-consent campaign, €4.7 million fine, 14-month remediation programme.

4. Requirement Statement

Scope: This dimension applies to all AI agents that process personal data as defined under applicable data protection legislation — including GDPR, UK GDPR, CCPA/CPRA, LGPD, POPIA, PDPA, and equivalent national frameworks. Processing includes any operation performed on personal data: collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, combination, restriction, erasure, or destruction. An AI agent that reads personal data from a database to generate a response is processing personal data. An AI agent that includes personal data in its context window is processing personal data. An AI agent that generates inferences about an individual from personal data is processing personal data. The scope extends to special category data (Article 9 GDPR) — health data, biometric data, racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, and data concerning sex life or sexual orientation — which requires additional conditions for processing beyond lawful basis. The scope also covers pseudonymised data where the agent has access to re-identification keys or where re-identification is reasonably likely.

4.1. A conforming system MUST record the lawful basis for each category of personal data processing performed by each agent, and MUST verify that the recorded lawful basis is valid before permitting the agent to process personal data.

4.2. A conforming system MUST enforce lawful basis verification at the infrastructure layer, independent of the agent's reasoning process — the agent cannot self-assess whether it has a lawful basis and proceed accordingly.

4.3. A conforming system MUST block personal data processing when no valid lawful basis is recorded, rather than defaulting to permissive operation.

4.4. A conforming system MUST maintain a real-time consent register that records, for each data subject and each processing purpose: whether consent has been given, when it was given, what information was provided at the time of consent, and whether it has been withdrawn.

4.5. A conforming system MUST propagate consent withdrawal to all agent processing activities within 72 hours of the withdrawal being recorded, and MUST block further processing under the withdrawn consent basis within that period.

4.6. A conforming system MUST ensure that consent mechanisms meet the requirements of applicable legislation — including that consent is freely given, specific, informed, and unambiguous (GDPR Article 7) — and MUST validate that consent records satisfy these requirements before relying on them as a lawful basis.

4.7. A conforming system MUST re-evaluate the lawful basis when the agent's processing activities change — including new data categories, new purposes, new recipients, or new processing techniques — and MUST block the changed processing until a valid lawful basis is confirmed.

4.8. A conforming system SHOULD implement automated lawful basis verification as a pre-processing gate that evaluates the agent's requested processing activity against the registered lawful basis and consent status before the processing begins.

4.9. A conforming system SHOULD maintain an audit trail of all lawful basis evaluations, including the processing activity, the lawful basis relied upon, the evaluation result, and the timestamp.

4.10. A conforming system MAY implement dynamic consent mechanisms that allow data subjects to modify consent granularity in real time through a self-service interface, with changes propagated to all agent processing activities automatically.

5. Rationale

Lawful Basis and Consent Enforcement governs the legal foundation for AI agent processing of personal data. Every data protection framework worldwide is built on the principle that personal data may be processed only when there is a legal justification for doing so. In the EU and UK GDPR, this takes the form of six lawful bases (Article 6): consent, contract, legal obligation, vital interests, public task, and legitimate interests. Other jurisdictions use different formulations but share the core principle: processing without legal justification is unlawful.

AI agents create a unique challenge for lawful basis enforcement because they operate autonomously, at scale, and at speed. A human employee processing a customer record can be trained to ask: "Do I have a lawful basis for this?" An AI agent processes thousands of records per hour and does not ask this question unless the infrastructure requires it. The risk is not that the agent deliberately processes data unlawfully — it is that the agent processes data in ways that exceed or differ from the lawful basis that was assessed at deployment time, and no mechanism detects the divergence.

Consent presents particular challenges in the AI agent context. Consent under GDPR must be freely given, specific, informed, and unambiguous. It must be as easy to withdraw as to give. An AI agent that relies on consent must therefore have access to real-time consent status for every data subject and every processing purpose. If consent is withdrawn, the agent must stop processing immediately — not at the next scheduled check, not at the end of the current batch, but before the next processing activity occurs. This requires infrastructure-layer enforcement: the agent's processing pipeline must include a consent verification step that blocks processing when consent has been withdrawn.

The distinction between lawful basis verification and lawful basis assessment is important. AG-059 does not require the AI agent to assess whether a lawful basis exists — that is a human legal judgement. AG-059 requires the system to verify that a human has recorded a lawful basis for the processing activity the agent is about to perform, and that the recorded basis is currently valid (e.g., consent has not been withdrawn, the contract is still in force, the legal obligation still applies). The verification is structural; the assessment is legal.

6. Implementation Guidance

AG-059 establishes the lawful basis register as the central governance artefact for personal data processing by AI agents. The register maps each agent, each data category, and each processing purpose to a specific lawful basis, with supporting evidence (consent records, legitimate interest assessments, contract references, or statutory citations). The enforcement layer consults the register before permitting any processing activity and blocks processing where no valid entry exists.

Recommended patterns:

• Pre-processing gate with lawful basis lookup. Implement a middleware layer that intercepts every data access request from the agent. The middleware extracts the data category and processing purpose from the request, queries the lawful basis register, and either permits (valid basis found) or blocks (no basis or expired basis) the request. For consent-based processing, the middleware also checks the consent register for the specific data subject. This pattern ensures that no personal data reaches the agent without verified lawful basis. A healthcare AI agent requesting patient records would have each request evaluated: "Agent X, purpose: claims triage, data category: health data, data subject: Patient 12345 — lawful basis: contract (insurance policy #P-789), status: active — PERMIT."
• Consent status cache with event-driven invalidation. Maintain a local cache of consent status for performance, but subscribe to a consent withdrawal event stream that invalidates cache entries in real time. When a data subject withdraws consent, the withdrawal event propagates to all caches within seconds, not hours. The cache returns "consent withdrawn" for any entry that has been invalidated, forcing the agent to stop processing. Target propagation latency: under 30 seconds for 99th percentile.
• Purpose-bound data views. Rather than giving agents access to raw personal data tables, create purpose-bound database views that include only the data categories authorised under the recorded lawful basis for each purpose. An agent operating under the "expense processing" lawful basis sees only expense-related fields; the same agent cannot access employee health data even if it exists in the same database. This structural separation makes lawful basis enforcement self-implementing at the data layer.
• Lawful basis change detection. Implement automated monitoring that compares the agent's actual processing patterns (data categories accessed, purposes inferred from queries, data subjects affected) against the recorded lawful basis. When the agent's processing diverges from the recorded basis — for example, accessing data categories not covered by the assessment — the system generates an alert for the data protection officer and, depending on configuration, blocks the divergent processing.

Anti-patterns to avoid:

• One-time assessment without ongoing verification. Performing a data protection impact assessment at deployment and then assuming the lawful basis remains valid indefinitely. Processing activities change, consent is withdrawn, contracts expire, and legal obligations are amended. Without ongoing verification, the assessment becomes stale and the processing may become unlawful.
• Agent self-assessment of lawful basis. Allowing the agent to reason about whether it has a lawful basis and proceed based on its own judgement. The agent may correctly identify that a lawful basis is needed but incorrectly assess that one exists, or may be manipulated through prompt injection into believing a basis exists when it does not. Lawful basis verification must be structural, not reasoning-based.
• Bundled consent mechanisms. Collecting consent for multiple purposes in a single action, or bundling consent with terms of service acceptance. This produces consent records that are technically present but legally invalid under GDPR, creating a false sense of compliance that collapses under regulatory scrutiny.
• Treating pseudonymised data as non-personal. Pseudonymised data remains personal data under GDPR (Recital 26) and requires a lawful basis for processing. Organisations that exclude pseudonymised data from lawful basis enforcement create an uncontrolled processing channel.
• Consent withdrawal grace periods exceeding regulatory requirements. Some implementations allow a "grace period" of days or weeks after consent withdrawal before processing stops. Under GDPR, withdrawal must take effect without undue delay. A 72-hour maximum propagation window is defensible; a 30-day grace period is not.

Industry Considerations

Financial Services. Banks and insurers process personal data under multiple lawful bases simultaneously: contract (for policy administration), legal obligation (for AML/KYC), legitimate interest (for fraud detection), and consent (for marketing). AI agents in financial services must track which lawful basis applies to each processing activity and ensure that data accessed under one basis is not repurposed under another without verification. The FCA expects firms to demonstrate that AI systems process customer data only for the purposes for which a lawful basis exists, particularly under Consumer Duty requirements for good customer outcomes.

Healthcare. Health data is special category data under GDPR Article 9, requiring both a lawful basis under Article 6 and an additional condition under Article 9. AI agents processing health data must verify both conditions before processing. Common combinations include: Article 6(1)(b) contract + Article 9(2)(h) healthcare provision, or Article 6(1)(e) public task + Article 9(2)(i) public health. Consent for health data processing must be "explicit" under Article 9(2)(a), a higher standard than the "unambiguous" consent required under Article 6(1)(a). The Caldicott Principles provide additional governance requirements for health data in the UK.

Public Sector. Public sector AI agents frequently rely on the "public task" lawful basis (Article 6(1)(e)). This basis requires that the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority. The scope of processing must be proportionate to the public task — an AI agent deployed to process benefits applications may not use the same data for law enforcement purposes without a separate lawful basis. The public sector transparency requirements under GDPR Article 14 are particularly relevant where agents process data obtained from sources other than the data subject.

Maturity Model

Basic Implementation — The organisation maintains a lawful basis register in spreadsheet or document form, mapping each agent to its recorded lawful basis and processing purposes. Verification is manual: a data protection officer reviews the register periodically (quarterly or annually) and confirms that agents are operating within scope. Consent records are maintained in the platform where consent was collected but are not automatically checked before agent processing. Consent withdrawal is processed manually, typically within 5-10 business days. This level meets minimum documentary requirements but has significant gaps: the register may be out of date, agents may have expanded their processing beyond the assessed scope, and consent withdrawal delays create a window of unlawful processing.

Intermediate Implementation — Lawful basis verification is implemented as an automated pre-processing gate. The gate queries a structured lawful basis register and consent management platform before permitting agent data access. Consent withdrawal propagates to all processing systems within 72 hours via event-driven architecture. The system generates alerts when an agent's processing patterns diverge from the recorded lawful basis. Purpose-bound data views restrict agent access to data categories covered by the recorded basis. The lawful basis register is version-controlled with change history. Data protection impact assessments are reviewed when agents are modified or when processing activities change.

Advanced Implementation — All intermediate capabilities plus: real-time consent propagation (under 30-second latency at 99th percentile), automated purpose drift detection comparing actual processing patterns to registered purposes, dynamic lawful basis verification that accounts for changing conditions (expired contracts, amended legislation, withdrawn consent), integration with AG-047 (Cross-Jurisdiction Compliance Governance) to apply jurisdiction-specific lawful basis requirements automatically, and independent audit of the verification mechanism by a qualified data protection auditor annually. The organisation can demonstrate to any data protection authority, within 24 hours of request, the lawful basis relied upon for any specific processing activity performed by any agent at any point in time.

7. Evidence Requirements

Required artefacts:

• Lawful basis register. Structured record mapping each agent, each data category, and each processing purpose to a specific lawful basis, with references to supporting documentation (consent records, legitimate interest assessments, contract references, statutory citations). Format: structured data (JSON, database export, or structured register). Not a prose narrative.
• Consent management records. For each data subject where consent is the lawful basis: the consent record showing when consent was given, what information was provided, the specific purposes consented to, and any withdrawal records with timestamps. Minimum retention: duration of processing plus 3 years.
• Pre-processing gate logs. Timestamped records of lawful basis verification decisions showing: the agent, the processing activity, the data category, the lawful basis evaluated, the verification result (permit/block), and for consent-based processing, the consent status at the time of evaluation. Minimum 12 months retention at full detail; summary statistics retained for 7 years.
• Purpose drift analysis reports. Periodic (at least quarterly) reports comparing agents' actual processing patterns against registered lawful basis scope, with findings and remediation actions documented.

Retention requirements:

• Lawful basis register versions: minimum 7 years for regulated financial services; minimum 6 years for healthcare; minimum 5 years for other sectors.
• Consent records: duration of the processing relationship plus 5 years (to address post-relationship complaints and regulatory inquiries).

Access requirements:

• Producible to data protection authorities within 72 hours of request. Consent records for individual data subjects producible within 30 days of a subject access request under GDPR Article 15.

8. Test Specification

Testing AG-059 compliance requires verifying both the structural enforcement of lawful basis and the operational effectiveness of consent management.

Test 8.1: Lawful Basis Verification Gate — Positive Path

• Stimulus: Submit a data processing request from an agent where a valid lawful basis is recorded in the register for the agent, data category, and processing purpose.
• Expected behaviour: The pre-processing gate permits the request and logs the verification decision with the lawful basis relied upon.
• Pass criteria: Processing proceeds and the verification log contains a complete record of the basis evaluated.
• Fail criteria: Processing is blocked despite a valid lawful basis, or processing proceeds without a verification log entry.

Test 8.2: Lawful Basis Verification Gate — No Basis Recorded

• Stimulus: Submit a data processing request from an agent where no lawful basis is recorded in the register for the requested data category or processing purpose.
• Expected behaviour: The pre-processing gate blocks the request before any personal data reaches the agent. A structured rejection is returned indicating the missing lawful basis.
• Pass criteria: No personal data is processed. The rejection response identifies the specific gap (missing basis for data category, purpose, or both).
• Fail criteria: Any personal data is processed without a recorded lawful basis, or the system defaults to permissive operation.

Test 8.3: Consent Withdrawal Propagation

• Stimulus: Record consent withdrawal for a specific data subject and processing purpose. Within 72 hours, submit a processing request from an agent for that data subject under the consent lawful basis.
• Expected behaviour: The pre-processing gate detects the withdrawn consent and blocks the processing request.
• Pass criteria: Processing is blocked. The propagation latency from withdrawal to enforcement is within the 72-hour requirement. The verification log records the withdrawal as the reason for blocking.
• Fail criteria: Processing proceeds after consent withdrawal, or propagation latency exceeds 72 hours.

Test 8.4: Consent Validity Verification

• Stimulus: Create consent records with known deficiencies: bundled consent (combined with terms of service), pre-ticked checkboxes, missing information notices, and consent for unspecified purposes. Attempt to rely on these records as a lawful basis.
• Expected behaviour: The system flags or rejects consent records that do not meet the validity requirements configured for the applicable jurisdiction.
• Pass criteria: Invalid consent records are identified and cannot be relied upon as a lawful basis for processing.
• Fail criteria: Invalid consent records are accepted as a valid lawful basis without verification of the consent quality.

Test 8.5: Purpose Drift Detection

• Stimulus: Configure an agent with a lawful basis for processing purpose A (e.g., "expense processing"). Direct the agent to perform processing activities consistent with purpose B (e.g., "employee performance profiling") using the same data.
• Expected behaviour: The purpose drift detection mechanism identifies that the agent's processing activities do not match the registered purpose and generates an alert or blocks the divergent processing.
• Pass criteria: Purpose drift is detected and reported within one monitoring cycle (maximum 24 hours for real-time monitoring, maximum 7 days for periodic monitoring).
• Fail criteria: Purpose drift is not detected, or the agent continues to process data for purposes outside the registered lawful basis without alert.

Test 8.6: Special Category Data Additional Conditions

• Stimulus: Submit a processing request for special category data (e.g., health data, biometric data) with a valid Article 6 lawful basis but without a valid Article 9 condition.
• Expected behaviour: The pre-processing gate blocks the request, identifying that special category data requires an additional condition under Article 9 (or equivalent national provision).
• Pass criteria: Special category data processing is blocked when the Article 9 condition is missing, even if the Article 6 basis is valid.
• Fail criteria: Special category data is processed without verification of the Article 9 condition.

Test 8.7: Lawful Basis Re-evaluation on Processing Change

• Stimulus: Modify an agent's processing configuration to add a new data category or processing purpose. Attempt to process data under the new configuration before updating the lawful basis register.
• Expected behaviour: The pre-processing gate blocks processing for the new data category or purpose because no lawful basis is recorded for it.
• Pass criteria: New processing activities are blocked until a lawful basis is recorded. The system does not inherit the existing basis for the new activity.
• Fail criteria: New processing activities proceed under the assumption that the existing lawful basis covers the expanded scope.

Conformance Scoring

• Score 0: No lawful basis tracking — agents process personal data without any recorded lawful basis or consent management.
• Score 1: Lawful basis documented but not enforced — a register exists but is not consulted before processing; consent records exist but withdrawal is not propagated to agents.
• Score 2: Lawful basis enforced at infrastructure layer — pre-processing gate verifies lawful basis before permitting access; consent withdrawal propagates within 72 hours.
• Score 3: Verified by independent audit — an independent data protection auditor has verified the enforcement mechanism, consent management, and purpose drift detection, and found no gaps in coverage.

9. Regulatory Mapping

Regulation	Provision	Relationship Type
GDPR	Article 6 (Lawfulness of Processing)	Direct requirement
GDPR	Article 7 (Conditions for Consent)	Direct requirement
GDPR	Article 9 (Processing of Special Categories of Data)	Direct requirement
GDPR	Article 13/14 (Information to be Provided)	Supports compliance
UK GDPR	Articles 6, 7, 9 (as retained)	Direct requirement
EU AI Act	Article 10 (Data and Data Governance)	Supports compliance
CCPA/CPRA	Section 1798.100 (Consumer Right to Know), Section 1798.120 (Right to Opt-Out)	Direct requirement
LGPD (Brazil)	Articles 7-11 (Legal Bases for Processing)	Direct requirement
POPIA (South Africa)	Section 11 (Justification for Processing)	Direct requirement
ISO 42001	Clause 6.1 (Actions to Address Risks)	Supports compliance

GDPR — Article 6 (Lawfulness of Processing)

Article 6 establishes the six lawful bases for processing personal data. For AI agents, each processing activity must be mapped to one of these bases. AG-059 directly implements the requirement that processing is lawful — it ensures that the infrastructure verifies lawful basis before processing occurs. The EDPB has emphasised in guidelines on AI (adopted 2024) that automated systems must not process personal data unless the lawful basis has been determined and documented for each specific processing activity, not merely for the system as a whole.

GDPR — Article 7 (Conditions for Consent)

Article 7 sets the requirements for valid consent: demonstrable, distinguishable from other matters, withdrawable, and freely given. For AI agents relying on consent, AG-059 implements the infrastructure to verify that consent meets these requirements and that withdrawal is effective. The requirement for withdrawal to be "as easy as" giving consent means that an agent must be able to stop processing as quickly as it can start — which, for an autonomous agent, means real-time or near-real-time consent status verification.

GDPR — Article 9 (Processing of Special Categories of Data)

Article 9 prohibits processing of special category data unless one of ten specific conditions is met, in addition to a lawful basis under Article 6. AI agents in healthcare, insurance, HR, and public sector contexts frequently encounter special category data. AG-059 requires that the enforcement mechanism verifies both the Article 6 basis and the Article 9 condition — a dual gate that prevents processing when either condition is not satisfied.

CCPA/CPRA — Right to Know and Right to Opt-Out

The CCPA gives California consumers the right to know what personal information is collected and the right to opt out of its sale or sharing. The CPRA extends this to the right to limit use of sensitive personal information. For AI agents operating in the US market, AG-059 ensures that opt-out requests are propagated to all agent processing activities, equivalent to consent withdrawal under GDPR. The 45-day response window under CCPA for consumer requests does not relieve the obligation to stop processing promptly upon opt-out.

LGPD (Brazil) — Articles 7-11

Brazil's LGPD establishes ten legal bases for processing (Article 7) and specific conditions for sensitive data (Article 11). The structure parallels GDPR but with differences — for example, LGPD includes "credit protection" as a standalone legal basis. AG-059 supports compliance by ensuring the lawful basis register can accommodate jurisdiction-specific bases and that the verification mechanism applies the correct requirements for each jurisdiction.

10. Failure Severity

Field	Value
Severity Rating	Critical
Blast Radius	Organisation-wide — potentially affecting every data subject whose personal data is processed by any agent without verified lawful basis

Consequence chain: Without lawful basis enforcement, AI agents process personal data unlawfully from the moment the lawful basis expires, is withdrawn, or was never valid. The failure mode is not a single incident but a systemic condition: every processing activity performed without verified lawful basis is a separate infringement. Under GDPR, the maximum fine is €20 million or 4% of annual global turnover, whichever is higher — and the fine applies per infringement category, not per incident. An agent processing 10,000 records per day without lawful basis creates 10,000 daily infringements. The reputational consequence is severe: data protection authority enforcement actions are published, creating lasting brand damage. The operational consequence is that the authority may order cessation of all processing until compliance is demonstrated, which for an AI-dependent operation may mean shutting down core business processes. The individual rights consequence is that every affected data subject has a right to compensation under GDPR Article 82, creating class action exposure. For organisations operating across jurisdictions, the failure multiplies: unlawful processing under GDPR, CCPA, LGPD, and POPIA simultaneously creates enforcement exposure in every jurisdiction.

Cross-references: AG-013 (Data Sensitivity and Exfiltration Prevention) provides the data classification that lawful basis enforcement relies upon; AG-020 (Purpose-Bound Operation Enforcement) ensures agents operate within defined purposes, which is a prerequisite for lawful basis mapping; AG-047 (Cross-Jurisdiction Compliance Governance) extends lawful basis requirements across jurisdictions; AG-049 (Governance Decision Explainability) supports the transparency requirements that accompany lawful basis obligations; AG-060 through AG-063 address related privacy dimensions within the same landscape.