NAALA | Not An Average Legal Advisor

Menu

What is IVD Software?

Legitimate Interest Assessment: A Key Component of GDPR Compliance

By: Sofie Geurts – Junior consultant at NAALA 

Published on 3 August, 2023

Amy Eikelenboom

Co-founder of NAALA

Published on 3 August 2023

The GDPR, among other things, facilitates the processing of personal data. The processing of personal data is allowed only for a good reason prescribed by law – a so-called legal basis. The law provides six such bases, of which “legitimate interest” is one. A legitimate interest requires an evaluation known as a Legitimate Interest Assessment (LIA) to successfully invoke this basis. According to court decisions, this test is necessary to demonstrate that the interest for processing personal data can be considered legitimate enough. The European Court of Justice has ruled that organizations must be able to demonstrate the justification behind their data processing activities through a legitimate interest test (LIA). In this blog post, we will dig into the concept of a Legitimate Interest Assessment and explore its significance in achieving GDPR compliance.

In a nutshell 

  • An LIA helps organizations assess if they can process personal data based on a legitimate interest.
  • An LIA is a test conducted by organizations to determine if their legitimate interests outweigh the interests, rights, and freedoms of individuals whose personal data they handle.
  • When conducting an LIA, define the purpose, necessity, and conduct a balancing test for your legitimate interest.
  • After the LIA, evaluate if you can lawfully process data based on a legitimate interest.
  • Document the LIA and its results. By documenting this process, you can demonstrate that proper considerations were taken into account to justify the outcome.

Legitimate Interest

Legitimate interest, in the context of data protection, refers to one of the lawful bases for processing personal data under the GDPR. The GDPR’s text on a legitimate interest is shown here below. 

⚖️ Article 6 f GDPR
Processing shall be lawful only if the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

💡 Example
An organisation has a legitimate interest when the processing takes place within a client relationship, when it processes personal data for direct marketing purposes, to prevent fraud or to ensure the network and information security of the organisations IT systems (source: European Commission).

A legitimate interest can only be a legitimate basis if the interests or fundamental rights and freedoms of the data subject do not outweigh the interest of the organization or a third party.

Legitimate interests will most likely be an appropriate basis where a company use data in ways that people would reasonably expect and that have a minimal privacy impact. Note that when you choose a legitimate interest, it is less likely to be justified when it comes to processing data from children. The interest is often less likely to outweigh the rights and freedoms of children.

Legitimate Interest Assessment

A LIA is a test conducted by organizations to determine whether their legitimate interests outweigh the interests, rights, and freedoms of individuals whose personal data they process. It serves as a tool for organizations to establish if they can process personal data on the basis of a legitimate interest.

The LIA is a three-part test. The test is divided into purpose, necessity and a balancing test. Once all these parts have been completed, an organization can determine if they can process data based on legitimate interest.

The first requirement is that the interests of the organization qualify as legitimate. This means that those interests have been named as a legal interest in (general) legislation or elsewhere in the law. An interest that is also protected in law, deemed worthy of protection and, in principle, to be respected and ‘enforced’.

The organization must have a legitimate interest in processing the personal data, meaning they have a genuine and lawful reason for doing so. This interest must be identified and it must be explained as to why and its relevanty.

Below are some points to consider when evaluating the legitimate interest of the organization. Some examples are also given.

An organization must determine whether the interest qualifies as
legitimate. After that an organization needs to assess whether the processing of the personal data in this particular situation is necessary to pursue that interest. The processing of personal data must be necessary to achieve the stated goal. The organization should consider whether the same purpose could be achieved through alternative means that have a lesser impact on individuals’ privacy.

Below are a few points you should consider when determining if the processing is necessary.

The organization must conduct a balancing test to assess whether their legitimate interests override the rights and freedoms of the individuals. This involves considering the impact on individuals, their reasonable expectations, the nature of the data being processed, and any safeguards implemented to mitigate risks.

If the two conditions of purpose and necessity are met, but it ultimately follows from the balancing test that the interests of the data subject outweigh the interests of the organization, a legitimate interest cannot be invoked. However if the balancing test shows that the interests of the organization outweigh the interests of the data subject, the personal data can be processed on the basis of legitimate interest.

Below are a few aspects to consider when evaluating whether the interests of the organization outweigh the rights and freedoms of individuals.

📢 Consider

  • What is the nature of your relationship with the individual?
  • Is any of the data particularly sensitive or private?
  • Would people expect you to use their data in this way?
  • Are some people likely to object or find it intrusive?
  • What is the possible impact on the individual?
  • How big an impact might it have on them?
  • Are any of the individuals vulnerable in any other way?
  • Can you adopt any safeguards to minimise the impact?

After the assessment

After the three-part assessment test has been performed, you need to make the decision whether you can validly process data on the basis of a legitimate interest. It is important to ensure that the legitimate interest is not outweighed by the risks identified. If this is in fact the case, you cannot validly invoke a legitimate interest.

 

A report of the LIA performed and its outcome must be documented. By documenting this, you can show that the right considerations were made and are in place to justify the outcome. If significant changes take place that alter the LIA or its outcome, these changes should be considered and the LIA might need (partial) revision. Significant changes may include changes in purpose, nature or the context of processing.

Other key point to watch out for

When data is processed on the basis of a legitimate interest, the organization has an additional responsibility to ensure that the interests of data subjects are taken into account and the rights of data subjects are guaranteed. Such as the obligation to inform the data subject in advance about the intended processing. An organization must inform data subjects in the privacy statement that they are processing their personal data on the basis of legitimate interests. It should also be explained what these interests are.

Curious to learn more? For further insights on LIA’s or if you seek expert consultation on practical solutions, we invite you to get in touch. Our team is here to provide comprehensive guidance and address your specific needs. Contact us today to ensure compliance and navigate the complex landscape of data processing.

Questions? We are happy to discuss your specific case.

Contact us

Related

Overlap EU MDR, ISO 27001 and GDPR

As a developer of software (classified as a medical device or AI), your role extends beyond mere development…

Read more
A Guide to Crafting Effective Data Processing Agreements

In today’s digital age, businesses rely heavily on technology providers to process personal data of their…

Read more
Navigating US Data Transfer Mechanisms

Is your company struggling to navigate the complex landscape of personal data transfers between…

Read more

Please note that all details and listings do not claim to be complete, are without guarantee and are for information purposes only. Changes in legal or regulatory requirements may occur at short notice, which we cannot reflect on a daily basis. 

Liked the article? Maybe others will too. Feel free to share!