<img alt="" src="https://secure.mari4norm.com/163157.png?trk_user=163157&amp;trk_tit=jsdisabled&amp;trk_ref=jsdisabled&amp;trk_loc=jsdisabled" height="0px" width="0px" style="display:none;">

BLOG

The latest privacy compliance news, issues, resources and
expert advice to save you time and mitigate risk.

Written by Teresa Troester-Falk
on August 09, 2018

In previous blogs, we have discussed the legitimate interests as a lawful ground for processing data under the GDPR. Organisations that chose to rely on legitimate interests must engage in an internal assessment to ensure that their processing is lawful. Recording this internal assessment will help you demonstrate compliance in line with your accountability obligations under Articles 5(2) and 24. To that end, it is helpful to produce a “Legitimate Interests Report.” This report should be organised in three parts according to the requirements of the GDPR under Article 6(1)(f).

 

Three-Part Legitimate Interests Report

  • Part 1 - Existence of a Legitimate Interests (Purpose): This part identifies the legitimate interests. They can be the interests of the controller or of a third party and can include commercial interests, individual interests or broader societal benefits.
  • Part 2 - Necessity: This part helps determine whether the processing is necessary. Regulators have indicated that if you can achieve the same result in a less intrusive way, legitimate interests will not apply.
  • Part 3 - Balancing Exercise with PbD Effectiveness Questions: Organisations must balance their interests against the individuals’. If the processing would cause unjustified harm or if individuals would not reasonably expect the processing, then the interests of individuals are likely to override the legitimate interests. Regulators and Courts have shown that the more effective safeguards that are in place, the more the balance will shift in favour of the legitimate interests.

The results from your test can be used to generate the “legitimate interests report” which serves as a record of legitimate interests determination, and helps demonstrate compliance, if required. An Approver must sign and date the report, indicating if legitimate interests can be relied upon for the stated processing. Note that the GDPR requires that organisations include details of their legitimate interests in their privacy notices. If the processing changes, a new legitimate interests assessment is required.

There is no standard format for a record of the consideration, but it’s important to document your thinking to help show you have proper decision-making processes in place and to justify the outcome. Below is sample of a Legitimate Interest Report that documents such thinking and is easily generated using ExpertPIA.

There is no standard format for a record of the consideration, but it’s important to document your thinking to help show you have proper decision-making processes in place and to justify the outcome. Below is sample of a Legitimate Interest Report that documents such thinking and is easily generated using ExpertPIA.

Legitimate-Interests-Report

The white paper’s summary of cases contains useful examples of how the balancing exercise is conducted in practice, as well as safeguards that were needed to tilt the balance and make the processing lawful.

Download the Whitepaper

FREE TRIAL

 

 

1 DPA Netherlands (May 20, 2015). https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/ontwerpbesluit_adecco.pdf

2 DPA Slovenia - Opinion 0712-1/2015/3046.https://www.ip-rs.si/vop/zbiranje-izjav-o-cepljenju-proti-okuzbi-s-hpv-2664/

You may also like:

GDPR ccpa LGPD

Managing Data Breaches, Best Practices for an Accountability Approach

The CCPA, EU’s GDPR, Canada’s PIPEDA, Brazil’s General Data Protection Law, Australia’s notifiable data breach scheme ar...

GDPR ccpa

CCPA, Nevada and the Ever-Changing US Landscape

When we did our last update on the status of US privacy legislation just a few weeks ago, there were 15 States with cons...

GDPR ccpa

GDPR to CCPA and beyond: Overcoming Challenges to Timely Privacy Compliance

A version of this post appeared in Corporate Compliance Insights.