The processing ground 'legitimate interest' has recently caused a stir in the privacy world. For example, it was the topic in several court cases, such as those of VoetbalTV and the Royal Dutch Lawn Tennis Association (KNLTB), and the Dutch Data Protection Authority (AP) imposed high fines for the unlawful use of legitimate interest as a legal ground.
To ensure that this legal ground is only used in appropriate cases, a legitimate interest assessment (LIA) should be performed. In practice, performing a correct LIA turns out to be a considerable challenge for most organisations.
Art. 6 GDPR is one of the articles that sets the obligation for a controller to demonstrate on what processing ground personal data is processed. Legitimate interest, defined in art. 6.1(f) GDPR, is a flexible and therefore often-used legal ground for processing personal data. This ground can only be used if the processing is necessary for the legitimate interest of the controller or a third party. The fundamental rights and fundamental freedoms of the data subjects that require the protection of personal data may not outweigh those interests. If organisations use this legal ground for a particular processing, they have the obligation to extensively justify this in their documentation. This can be achieved through the performance of an LIA.
Although a definition of an LIA and its implementation are not specifically mentioned in the GDPR, its structure can be derived from art. 6.1(f) GDPR. Basically, it consists of three steps. First of all, it must be assessed whether the purpose you have used for the processing is in line with the legitimate interest you are trying to pursue. Secondly, a necessity test must be carried out, assessing whether the processing for which the legitimate interest is used is really necessary to achieve the purpose. Finally, a balancing test must be done to assess whether your legitimate interest outweighs the data subjects’ rights and freedoms.
Because an explanation regarding the correct execution of an LIA is missing in the GDPR, there exists a wide variation of ways to perform an LIA among organisations. Currently, LIA’s are mainly carried out in Word or Excel by answering a varied and often concise number of questions. This often results in incomplete and/or wrong outcomes.
Privacy Perfect Legitimate Interest Assessment
With the launch of our legitimate interest assessment module, PrivacyPerfect wants to close the gap between the legal obligation and the unclear approach of performing an LIA correctly as described above. Our module consists of a purpose test, a necessity test and a balancing test at the end. Based on the answers given, the system will estimate whether or not you have a legitimate interest for a specific processing. In addition, attention is paid to measures that you can implement to strengthen your interest. In this way you prevent incorrect use of Article 6(f) of the GDPR.
Would you like more information about our legitimate interest module? Click here.