Legitimate Interest Assessment (LIA)
What is legitimate interest?
Legitimate interest is one of the six lawful bases for processing personal data under the General Data Protection Regulation (GDPR). It refers to the processing of personal data that is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
Legitimate interest is a flexible legal basis for processing personal data. It can be used in a wide range of circumstances, but it puts the onus on the controller to balance their legitimate interests and the necessity of processing the personal data against the interests, rights, and freedoms of the data subject.
To rely on legitimate interest as a legal basis for processing personal data, the controller must ensure that the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party. The controller must also ensure that the interests or fundamental rights and freedoms of the data subject do not override the legitimate interests pursued by the controller or by a third party.
Legitimate interest is foreseen under Article 6 (f):
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
When can I use legitimate interest?
To determine whether legitimate interest is an appropriate basis for data processing, organizations must adhere to a three-part test:
- Identifying the Legitimate Interest (..processing is necessary for..): Organizations must first identify a legitimate interest that justifies the need to process personal data. This could include purposes such as fraud prevention, network security, direct marketing, or ensuring the security and integrity of IT systems.
- Assessing Necessity (..the purposes of the legitimate interests pursued by the controller or by a third party..): Once a legitimate interest is identified, organizations must assess whether the data processing is necessary to achieve that interest. This involves evaluating whether the same objectives could be achieved through less intrusive means or whether the processing is proportionate to the intended purpose.
- Balancing with Individual Rights (..except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child…): Finally, organizations must balance their legitimate interests against the rights and freedoms of the individuals whose data is being processed. This requires considering the potential impact on individuals’ privacy rights and ensuring that any adverse effects are minimized.
You must assess every aspect of the three-part test and record the results to illustrate the applicability of legitimate interests. This process is commonly referred to as a ‘legitimate interests assessment’ or LIA, although this precise terminology is not explicitly mentioned in the GDPR.
Once your Legitimate Interests Assessment (LIA) establishes the applicability of the legitimate interests basis, it’s imperative to conduct it prior to commencing data processing. Attempting to retrospectively apply legitimate interests after initiating data processing is not permissible. Processing data without a lawful basis constitutes unlawful activity, inevitably resulting in breaches of transparency and accountability obligations.
While there’s no prescribed procedure, approaching the LIA involves adhering to the three-part test mentioned above:
- The Purpose Test: Identify the legitimate interest.
- The Necessity Test: Evaluate whether the processing is necessary.
- The Balancing Test: Consider the individual’s interests.
The purpose test
The purpose test requires organizations to clearly define the specific, explicit purposes for which personal data is collected, processed, and used. These purposes must be legitimate, lawful, and transparent, ensuring that individuals understand how their data will be utilized.
Central to the purpose test is the requirement for clarity and specificity in defining the purposes of data processing. Organizations must articulate these purposes in a clear and comprehensible manner, avoiding vague or ambiguous language. By clearly defining the purposes, organizations enable individuals to make informed decisions about their data and exercise their privacy rights effectively.
Furthermore, the purpose test serves as a safeguard against arbitrary or unfair data processing practices. It requires organizations to ensure that the purposes for processing personal data are lawful, meaning they are grounded in a valid legal basis such as consent, contractual necessity, legal obligation, vital interests, public task, or legitimate interests. Additionally, the purposes must be fair and aligned with individuals’ reasonable expectations.
Finally, another factor to take into account, is that under the purpose test, organizations are permitted to process personal data only for purposes that are compatible with the original purposes for which the data was collected. While this allows for some flexibility, organizations must assess whether any new purposes are sufficiently similar to the original purposes and whether individuals would reasonably expect their data to be used in such a manner.
How to demonstrate legitimate interest
The first step in demonstrating legitimate interest is to conduct a Legitimate Interests Assessment (LIA). As mentioned above, an LIA is a structured process through which organizations evaluate whether their legitimate interests outweigh the rights and freedoms of the individuals whose data they intend to process.
In addition to conducting and documenting the LIA, organizations must ensure transparency and accountability in their data processing activities. This includes informing individuals about the purposes for which their data is being processed, providing mechanisms for individuals to exercise their rights, and implementing appropriate safeguards to protect personal data from unauthorized access or misuse.
Do you need a legitimate interest assessment (LIA)?
Focus on your business and keep your compliance documents up-to-date with Seifti:
We provide you with GDPR consultancy and audit services, with all your data processing activities.
Our team will validate that your company’s current data protection policies and procedures are fully compliant.
Also, our experts will help you define the subject rights workflows to avoid issues with the Data Protection Authorities.
If you need further information, do not hesitate in contacting us!
No Comments