Even if you have not entered into a contract with an individual or collected the individuals consent there is sometimes an opportunity to process his/her personal data anyways. The legal ground this form of processing is based on is called “legitimate interest”, and for this it is necessary (as you might guess) to have a legitimate interest for the data processing. In this article we will go through when and how an assessment of legitimate interest shall be used and give examples of when an interest can be legitimate. We will also go through what shall be done internally in your business.
What is a legitimate interest assessment?
In GDPR there are six different legal grounds to rely on for lawful processing. These six are: consent, contract, legitimate interest, legal obligation, public task and protection of vital interests. To be able to use the legal ground “legitimate interests” you need a legitimate interest for the processing. This is motivated by that your interest to process the data is stronger than the persons interest of not having his or her data processed. You can think of this relationship as a pair of scales!
How do you make a legitimate interest assessment?
Have the pair of scales in mind! The motivation of your legitimate interest shall be made through an overall assessment based on the relevant data, the relevant processing and the interests and rights of the data subjects concerned. What is demanded of you as data controller is to make a thorough assessment where you test if the data subject at the time when you collect the data, in relation to this, reasonably could expect that you use the personal data for the intended purpose. The expectations are assessed with regard to your relationship with the concerned – for example it could be mentioned that the concerned data subject is your costumer or employee. If so, the data subject might not be so shocked that you are processing their personal data for something new.
A rule of thumb could therefore be to ask yourself: “will the data subject be surprised that I process his or her data for this specific purpose?”. A surprised reaction from the data subject could be an indicator that your interest of processing is not stronger than the interest of the data subject to not have his or her data processed.
The legitimate interest assessment shall therefore contain:
- What categories of personal data that are affected by the specific processing, for example name, birth date and phone number;
- A motivation of your interest of processing the personal data;
- A motivation of why your interest of processing the personal data is legitimate;
- A description of the data subjects’ fundamental rights and freedoms and why they might not have an interest in having their personal data processed;
- A motivation of why the processing of personal data is necessary to achieve the intended purpose.
Should the legitimate interest assessment be in writing?
As a data controller, you have a responsibility in accordance with the GDPR and it is not always certain that you have a legitimate interest for your processing of personal data. It is therefore always important that you document your legitimate interest assessment where you motivate why your interest is stronger than the fundamental rights and freedoms of the data subject. This legitimate interest assessment should preferably be approved by the board, since the board is ultimately responsible for your GDPR-work.
Transfer based on legitimate interest within a corporate group
We will now look at what happens when you transfer personal data within a corporate group and base it on a legitimate interest assessment. When groups of companies are in a corporate group it can cause some confusion – are you actually allowed to transfer personal data based on legitimate interest to another company within the corporate group? The answer is the same as stated above – yes, if you have a legitimate interest! Also, in this scenario it is important to document your legitimate interest assessment in the same way as when you document your personal data processing, thus it can often be motivated by an administrative purpose.
This concept means that a company is directly contacting the customer, and in the preamble of the GDPR it is stated that “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”. A notorious example is telemarketing. As we can see here, it is a necessity to have a legitimate interest assessment as stated above, since the wording ”may” demonstrates that the interest is not always legitimate.
When is legitimate interest a no-go?
Public authorities should generally not use legitimate interest in their processing of personal data, since they should preferably base their processing on law.
Remember – right to object
The person (data subject) whose personal data is being processed based on legitimate interest always has the right to object to that processing. If the person objects and asks you to stop using his or her personal data for the purpose of processing, you must stop doing it directly after the objection has been received. Thus, you are always entitled to make a new legitimate interest assessment.
Do you want to know more or do you need help to make a legitimate interest assessment?
If you have and questions regarding the GDPR or GDPR Hero you are welcome to contact us. Do your organization need help on how to become GDPR-compliant? Book a demonstration of GDPR Hero here or create an account here.