Legitimate Interest Assessment
Legitimate Interests Assessment Form
The aim of this document is to help you identify whether legitimate interest can be applied as your lawful basis for processing of data. This is an important consideration and impacts many of your decisions about data protection. It is important that you are able to prove that you considered these factors when deciding that legitimate interest applies. In particular, where you are using legitimate interest for the lawful basis of your marketing activities.
The following is based on guidance provided by the ICO and the DMA. Many thanks to these organisations for their very useful work.
Identifying A Legitimate Interest
|What is the purpose of the processing operation?||To allow us to respond to requests for information; complete customer orders; and send updates for our customers. Also, to allow us to operate our business and manage our staff.|
|Is the processing necessary to meet one or more speciﬁc organisational objectives?||Yes – required to respond to our clients and to manage our staff.|
|Is the processing necessary to meet one or more speciﬁc objectives of any third party?||Required to send information as requested by the customer or to complete a delivery request.|
|Does the GDPR, ePrivacy Regulation or other national legislation speciﬁcally identify the processing activity as being a legitimate activity, subject to the completion of a balancing test and positive outcome?||Yes.|
The Necessity Test
|Why is the processing activity important to you?||Necessary to provide information to our customers and operate our business.|
|Why is the processing activity important to other parties the data may be disclosed to, if applicable?||Necessary to enable interaction with our customers and manage our business.|
|Is there another way of achieving the objective?||No – the processing of personal data is required.|
The Balancing Test
Review of your Legitimate Interest and impact on the data subjects involved.
|Would the individual expect the processing activity to take place?||If the individual would not expect the processing to take place, this could in particular override the Controller’s interests. Consider the expectations of the individual, would this processing activity be within their reasonable expectations? Have they been informed? Consider including here any evidence you may have of their expectations that this processing would occur?|
|Does the processing add value to a product or service that the individual uses?||If the processing adds value for the individual this may strengthen the case for Legitimate Interest.|
|Is the processing likely to negatively impact the individual’s interests and/or rights?||Consider here whether the processing could lead to discrimination, financial loss, reputational damage, loss of confidentiality or professional secrecy. Or any other economic or social disadvantage. (Please note this is not an exhaustive list). Does the processing prevent data subjects exercising control over their personal data? (See GDPR Recital 75).|
|Would the processing limit or undermine the rights of individuals?||If processing would undermine or frustrate the ability to exercise those rights in future, that might well affect the balance.|
|Is the processing likely to result in unwarranted harm or distress to the individual?|
|Would unwarranted harm or distress to the individual occur if the processing did not take place?|
|Would there be a prejudice to Data Controller if processing does not happen?||Would there be a negative organisational or commercial impact on the data controller if this processing were not to take place?|
|If applicable, would there be a prejudice to the Third Party if processing does not happen?||Would there be a negative organisational or commercial impact on a Third Party if this processing were not to take place?|
|Is the processing in the interests of the individual whose personal data it relates to?||Focus your response on the customer and any potential benefits of this processing.|
|Are the interests of the individual aligned with the party looking to rely on their legitimate interests for the processing?||What are the benefits to the individual or to society? If the processing is to the benefit of the individual, then it is more likely that Legitimate Interests can be relied on, as the individual’s interests will be aligned with those of the Controller. Where the processing is more closely aligned with the interests of the Controller or a Third Party than with those of the individual, it is less likely that the interests will be balanced, and greater emphasis needs to be placed on the context of the processing and relationship with the individual.|
|What is the connection between the individual and the organisation?||Identify the connection: (Existing customer/ Cancelled customer/ Employee or contractor/ Business client/ Prospect (never purchased goods or services)/ Supplier/ None of above)|
|What is the nature of the data to be processed? Does data of this nature have any special protections under GDPR?||What types of personal data are being processed e.g. contact data, financial details etc? Is it data relating to a child? If processing Special Categories of Personal Data, another condition must be identified in addition to a lawful basis.|
|Is there a two-way relationship in place between the organisation and the individual whose personal information is going to be processed? If so how close is that relationship?||Where there is an ongoing relationship, or indeed a more formal relationship, there may well be a greater expectation on the part of the individual that their information will be processed by the organisation. The opposite is also possible, but it does depend on the purpose of processing. Consider the nature of the relationship, is it: Ongoing/ Periodic/ One-off/ No relationship.|
|Has the personal information been obtained directly from the individual, or obtained indirectly?||Consider whether personal information has been collected: Directly/ Indirectly/ A mix of both. If the information was obtained directly from the individual then you should take due consideration of the Fair Processing Notice, the relationship with the individual and their expectations of use. If the data was collected directly and these factors are positive, then it may tip the balance in favour of the processing operation. Where Personal Data is not collected directly, there may need to be a more compelling Legitimate Interest to overcome this. It will also depend on the context of the processing and if the organisation has a two-way relationship with the individual.|
|Is there any imbalance in who holds the power between the organisation and the individual?||If the organisation has a dominant position, this places more responsibility on the Controller to ensure that the interests and rights of the individual are protected. The Controller will need to consider how it addresses any imbalance of power to ensure individuals’ rights are not impacted.|
|Is it likely that the individual may expect their information to be used for this purpose?||Given the relationship between the parties, services/products being provided, including the information notices available, would the individual reasonably expect or anticipate that their information would be used for those or connected purposes? The stronger the expectation, the greater the chances that Legitimate Interests can be relied on.|
|Could the processing be considered intrusive or inappropriate? In particular, could it be perceived as such by the individual or in the context of the relationship?||Processing should not be unduly intrusive. Intrusion into the private life of an individual may be justified based on the nature of the relationship or special circumstances. However, the greater the intrusion, perceived or otherwise, the more overwhelming the Legitimate Interest should be and the more the rights of the individual must be considered within the balance. Consider here the way the data is processed (e.g. large scale, data mining, profiling, disclosure to a large number of people or publication).|
|Is a Fair Processing Notice provided to the individual, if so, how? Are they sufficiently clear and up front regarding the purposes of the processing?||Remember that the more unusual, unexpected or intrusive the processing, the greater the importance of making the individual aware of the processing. Particularly where Legitimate Interests are to be relied on.|
|Can the individual, whose data is being processed, control the processing activity or object to it easily?||Giving the individual increased control or elements of control may help a Controller rely on Legitimate Interests where otherwise they could not. If individual control is not possible or not appropriate, explain why.|
|Can the scope of the processing be modified to reduce/mitigate any underlying privacy risks or harms?||If yes (briefly cover how you will achieve this). This is a similar concept to a Data Protection Impact Assessment. Where a DPIA might identify potential privacy harms it also allows the organisation to mitigate the risk of non-compliance by adapting or altering the scope of the activity. The same is true for an LIA. If you conclude that the processing presents a privacy risk to the individual, the processing can be limited or adapted to reduce the potential impact.|
Safeguards And Compensating Controls
Safeguards include a range of compensating controls or measures that may be put in place to protect the individual, or to reduce any risks or potentially negative impacts of processing. These are likely to have been identified via a Privacy Impact Assessment conducted in relation to the proposed activity. For example, data minimisation, de-identiﬁcation, technical and organisational measures, privacy by design, adding extra transparency, additional layers of encryption, multi-factor authentication, retention, restricted access, opt-out options, hashing, salting, and other technical security methods used to protect data.
Please include a description of any compensating controls that will be put in place or are already in place to preserve the rights of the individual.
|We collect only the data required to respond to customers, send updates to existing customers, and send marketing information to previous customers.We process data as required to operate our business. We store data securely and restrict access to only the people that require access to the data.|
Reaching A Decision And Documenting The Outcome
Using the responses above, now document if you believe you are able to rely on Legitimate Interests for the processing operation. Please explain, perhaps using bullet points, why you are, or are not, able to rely on this legal basis. You should draw on the answers you have provided in this LIA.
|Considering the above we are confident that the processing data as necessary to run our business and as described in our documentation will not cause and undue concern to our clients, employees, or any third party and that our actions are reasonable.|
Recitals About Legitimate Interest
For more background information please refer to the GDPR recitals.
The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller.
Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller.
At any rate, the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place.
The interests and fundamental rights of the data subject could override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing.
Given that it is for the legislator to provide by law for the legal basis for public authorities to process personal data, that legal basis should not apply to the processing by public authorities in the performance of their tasks.
The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned.
The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.
Controllers that are part of a group of undertakings or institutions affiliated to a central body may have a legitimate interest in transmitting personal data within the group of undertakings for internal administrative purposes, including the processing of clients’ or employees’ Personal Data.
The general principles for the transfer of personal data, within a group of undertakings, to an undertaking located in a third country remain unaffected.
The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned.
This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to the computer and electronic communication systems.
The processing of personal data for purposes other than those for which the personal data were initially collected should be allowed only where the processing is compatible with the purposes for which the personal data were initially collected.
In such a case, no legal basis separate from that which allowed the collection of the personal data is required.
If the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Union or Member State law may determine and specify the tasks and purposes for which the further processing should be regarded as compatible and lawful.
Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes should be considered to be compatible with lawful processing operations.
The legal basis provided by Union or Member State law for the processing of personal data may also provide a legal basis for further processing.
In order to ascertain whether a purpose of further processing is compatible with the purpose for which the personal data are initially collected, the controller, after having met all the requirements for the lawfulness of the original processing, should take into account, inter alia: any link between those purposes and the purposes of the intended further processing; the context in which the personal data have been collected, in particular, the reasonable expectations of data subjects based on their relationship with the controller as to their further use, the nature of the personal data, the consequences of the intended further processing for data subjects, and the existence of appropriate safeguards in both the original and intended further processing operations.
Where the data subject has given consent or the processing is based on Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard, in particular, important objectives of general public interest, the controller should be allowed to further process the personal data irrespective of the compatibility of the purposes.
In any case, the application of the principles set out in this Regulation and the information of the data subject on those other purposes and on his or her rights including the right to object, should be ensured.
Indicating possible criminal acts or threats to public security by the controller and transmitting the relevant personal data in individual cases or in several cases relating to the same criminal act or threats to public security to a competent authority should be regarded as being in the legitimate interest pursued by the controller. However, such a transmission in the legitimate interest of the Controller or further processing of personal data should be prohibited if the processing is not compatible with a legal, professional or other binding obligation of secrecy.
To further strengthen the control over his or her own data, where the processing of personal data is carried out by automated means, the data subject should also be allowed to receive personal data concerning him or her which he or she has provided to a controller in a structured, commonly used, machine-readable and interoperable format, and to transmit it to another controller.
Data controllers should be encouraged to develop interoperable formats that enable Data Portability.
That right should apply where the data subject provided the personal data on the basis of his or her consent or the processing is necessary for the performance of a contract. It should not apply where processing is based on a legal ground other than consent or contract.
By its very nature, that right should not be exercised against controllers processing personal data in the exercise of their public duties. It should therefore not apply where the processing of the personal data is necessary for compliance with a legal obligation to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of an official authority vested in the controller.
The data subject’s right to transmit or receive personal data concerning him or her should not create an obligation for the controllers to adopt or maintain processing systems which are technically compatible.
Where, in a certain set of personal data, more than one data subject is concerned, the right to receive the personal data should be without prejudice to the rights and freedoms of other data subjects in accordance with this Regulation.
Furthermore, that right should not prejudice the right of the data subject to obtain the erasure of personal data and the limitations of that right as set out in this Regulation and should, in particular, not imply the erasure of personal data concerning the data subject which have been provided by him or her for the performance of a contract to the extent that and for as long as the personal data are necessary for the performance of that contract. Where technically feasible, the data subject should have the right to have the data transmitted directly from one controller to another.
End of document.