1 Introduction
The General Data Protection Regulation (EU)2016/679)) (GDPR) defines six legal bases under which personal data can be processed. Article 6(1)(f) refers to legitimate interests as a lawful basis for processing where: –
“processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
A controllers’ interests can be defined as an advantage or benefit to them, or a stake in the processing or outcome. It is because of these ‘interests’ that the Regulation warrants an evaluation when using this legal basis, with Recital 47 stating “the existence of a legitimate interest would need careful assessment”.
2 Relying on Legitimate Interests
Relying on legitimate interests as the grounds for processing personal data is only lawful when such processing is necessary, and any controller interests are not outweighed by the rights and freedoms of the individual. The GDPR also notes that legitimate interests cannot be relied upon by public authorities in the performance of their tasks.
The GDPR mandates the documenting of any legitimate interests’ assessment and decision; as well recording in the privacy notice any legitimate interests pursued by the controller or by a third party where processing is based on point (f) of Article 6(1).
3 Assessment Stages
Whilst the GDPR does not specify the format for the legitimate interests’ assessment; the Information Commissioners Office (ICO) and European Data Protection Board (formerly The Article 29 Working Party) both refer to stages of the assessment for determining if legitimate interest the most appropriate basis for processing.
The WP29’s Guidelines on Transparency advise that: –
“The specific interest in question must be identified for the benefit of the data subject. As a matter of best practice, the data controller should also provide the data subject with the information from the balancing test, which should have been carried out by the data controller to allow reliance on Article 6.1(f) as a lawful basis for processing”.
The ICO have defined a 3-part test for assessing the use of legitimate interests and break those parts down into: –
1. Purpose
2. Necessity
3. Balancing
3.1 Purpose
Documenting the purpose of the processing and what function it serves for the controller provides the basis for identifying any legitimate interest(s) and documenting them. Defining the purpose allows the controller to establish which legal basis is most appropriate and to move onto the other assessment stages if legitimate interests is deemed appropriate.
At this stage, all identified interests should be recorded; even if they are not all being relied on for processing. The questions outlined in section 4 of this document help to produce responses that define the purpose and interests. The interests can be that of the controller or the interests of third parties, and commercial interests as well as wider societal benefits. Interests that are persuasive and significant will be less easily overridden by an individuals’ rights and freedoms when carrying out the balancing test.
3.2 Necessity
The ICO define ‘necessary’ as “processing must be a targeted and proportionate way of achieving your purpose.” You must be able to demonstrate that processing is necessary and evidence that there is no less intrusive way to achieve the same result. Consider the organisations’ interests noted from stage one and any business objectives relevant to the processing. Is the processing ‘necessary’ to achieve those interests and objectives?
If you can identify another (less intrusive) way to achieve the same objective or interest (or determine that the processing is not necessary), then you should not be relying on Legitimate Interests.
3.3 Balancing
The final stage of a Legitimate Interests Assessment (LIA) is to balance the processing against the individual’s interests, rights and freedoms. This means documenting and demonstrating an evaluation of those rights and freedoms and ensuring that the individual’s interests do not override that of the controller.
This stage is about considering the impact the intended processing would/will have on an individual and evaluating any impact against the controller’s identified interests.
4 Legitimate Interests Assessment (LIA)
The below Legitimate Interests Assessment (LIA) template can be used to determine if legitimate interest is the most appropriate legal basis for your processing. The questions in the assessment are not exhaustive; so, you should use your expertise, business knowledge and own judgement to make an informed decision. You should also customise the template and questions as to suit your processing activity and business type.
You should complete an assessment for each processing activity and ensure that this is reviewed periodically; as well as if there are any changes to the interests, purpose of processing or any factors that could change the outcome of the assessment. A LIA should be completed in compliance with the GDPR principles, the accountability principle and the Regulation requirements.
1. Purpose Test | ||
Identify the purpose of the processing and the legitimate interests you intend to rely on: | ||
Ref: | Assessment Question: | Response: |
1.1 | What are you trying to achieve with the processing? | |
1.2 | What is the purpose of the processing? | |
1.3 | Who benefits from the processing? (i.e. wider social interests, controller, third-party etc) | |
1.4 | Have you identified the relevant legitimate interests?
If yes, what are they? |
|
1.5 | Are the noted interests identified as specific legitimate interests under the GDPR, Data Protection Act 2018 or any other legislation or Regulation? | |
2. Necessity Test | ||
Determine if the processing is necessary and if any other, less intrusive option is available: | ||
Ref: | Assessment Question: | Response: |
2.1 | Can the interests/objectives be achieved in any other (less intrusive) way? | |
2.2 | Why is the processing necessary to achieve your interests/objectives? | |
2.3 | Is legitimate interests a targeted and proportionate way of achieving your purpose? | |
3. Balance Test | ||
Assess your interests against those of the individual and document any safeguarding measures: | ||
Ref: | Assessment Question: | Response: |
3.1 | Do you have any relationship with the individual(s)? | |
3.2 | Would people expect you to use their data in this way? | |
3.3 | Does the processing have a minimal privacy impact on the individual(s)?
If no, utilise the safeguards measures section in the outcome form |
|
3.4 | How does the processing benefit the individual? | |
3.5 | Can you easily and legibly explain your reasons and interests in a Privacy Notice? | |
3.6 | Are you processing high-risk, special category or confidential information? | |
3.7 | Are you processing children’s data? | |
3.8 | Is any individual likely to find the processing intrusive or raise objections? | |
3.9 | Is the processing likely to cause any distress or unwarranted harm? | |
3.10 | Do the rights and freedoms of the individual override your interests? | |
3.11 | Where using legitimate interests for direct marketing, is the individual given the opportunity to opt-out during the initial data collection and via simple, easy to access methods thereafter? |
LEGITIMATE INTERESTS ASSESSMENT DECISION AND OUTCOME | ||||||
REFERENCE NUMBER: | DIRECTIONS:
1. Complete each section and use the stage 1-3 answers to information your notes. 2. Be as detailed as possible to that clear evidence can be seen about your decisions and the assessment outcome. 3. Save a copy of each assessment under a unique name/reference so that it can easily be referred to or obtained for an evidence request |
|||||
ASSESSMENT LEAD: | ||||||
DATE: | ||||||
CONTACT DETAILS: | ||||||
1. ASSESSMENT BRIEF | ||||||
1.1 | SUMMARY: Give an outline of the reasons for completing the assessment and why legitimate interests is being considered. | |||||
1.2 | OBJECTIVES/INTERESTS: – What is the purpose of the processing and what interests have been identified?
If relying on third-party or wider public interests, document what these are. |
|||||
1.3 | POTENTIAL RISKS/IMPACT: – What risks does the processing pose and will there be any impact on the individual(s)? | |||||
1.4 | SAFEGUARDS: – Where there is any risk involved in processing or there is deemed to be an impact to any individual, it is important to put safeguarding measures into place to mitigate (where possible) the impact. These may have been identified during this LIA or could come from a risk assessment or associated Data Protection Impact Assessment (DPIA).
Such measures can include (but are not limited to): – Encryption, pseudonymisation, data minimisation, restricted access, passwords, authentication protocols and other technical and organisational measures. |
|||||
1.5 | BENEFITS: – Detail any benefits of the processing to the individual | |||||
1.6 | SUBJECT RIGHTS: – Is the individual able to exercise their data subject rights (where applicable) through this type of processing
If your legitimate interests are compelling enough to override the individual’s rights, state why. |
|||||
1.7 | PRIVACY NOTICE: – What statement will you add to your Privacy Notice(s) to explain the use of legitimate interests for this processing activity? | |||||
2. OUTCOME & DECISION | ||||||
After completing the 3-stage test and the above brief, you should now be able to decide if using legitimate interests is the most appropriate legal basis for your processing activity. If undecided, it is unlikely that this is the most appropriate basis.
Please explain in summary format why you are able to; or not able to, rely on legitimate interests for your legal basis: –
|
||||||
We are relying on legitimate interests for this processing activity: ☐ | We are not relying on legitimate interests for this processing activity: ☐ | |||||
Signed by:
Role: Authorised by: |
Print Name:
Department: Review Date: |