Legitimate Interest Assessment (LIA)
Balancing of interests to investigate legitimate interest
Companies need to carry out and document a balancing of interests to investigate legitimate interest, before a processing can take place based on this legal basis. Legitimate interest is a common legal basis to support the processing of personal data.
Carry out a balancing of interests to investigate whether the company has a legitimate interest
In order to assess whether or not the company has a legitimate interest, the company must balance its interests. According to the GDPR, companies must be able to demonstrate that they comply with the regulation in practice. Therefore, it is good to document all the work, such as the conducted Legitimate Interest Assessment (LIA). Where it is possible to achieve the same purpose in a less privacy-sensitive manner, the processing shall not be based on legitimate interest.
Companies must always make an overall assessment in each individual case when they support a processing based on legitimate interest as a legal basis. It is important to consider whether the data subject can reasonably expect the processing to take place in the intended manner.
There must be a clear purpose for the processing
In the Legitimate Interest Assessment (LIA), it must be clear what the purpose of the processing is. In addition, the purpose must be justified. In other words, the processing in question must be proportionate to the purpose. It is the purpose that determines what the company may do with the personal data. When the personal data collected is no longer needed for the purpose, they shall be erased or anonymised.
Is it permissible to transfer personal data to a third party on the basis of a legitimate interest?
Yes, it is allowed to transfer personal data to a third party on the basis of a legitimate interest. On the other hand, the transfer must be justified. In addition, the company must first find out:
Purpose
What is the purpose of providing the personal data?
Necessity
Is it really necessary to provide the personal data?
Examples of when companies may have a legitimate interest in processing personal data
Prevent fraud
Fraud is a major problem in society and companies may have a legitimate interest in processing personal data to prevent it. Please note that the processing must be strictly necessary to prevent this type of crime.
Direct marketing
Companies may have a legitimate interest in carrying out direct marketing, according to Recital 47 of the GDPR. This is usually the case if there is a previous business relationship between the parties, such as marketing to a previous customer. If there are new ‘cold contacts’, it is usually common to need consent to carry out direct marketing. Please note that companies must cease direct marketing if the data subject so requests and objects to the processing pursuant to Article 21(2) of the GDPR.
Employee safety
There may be a legitimate interest in ensuring the security of employees through certain processing of their personal data. It is important that the purpose of the processing in such cases is clear and justified. For example:
- If a security guard or other security personnel uses an assault alarm provided by their employer for use in any threat situation.
- Camera surveillance in entrances, warehouses, garages or server rooms, when the purpose of the processing is, for example, to prevent burglary, sabotage and violence and to protect staff, customers and company property.
- Collection and control of file access logs, logins to IT systems and network traffic, when the purpose of the processing is to detect unauthorised access, prevent data breaches and ensure information security.
Can companies process children's personal data on the basis of legitimate interest?
Yes, it may be allowed in some cases. However, it is important to keep in mind that children have a stronger protection under GDPR and therefore it is good to be extra careful.
Public authorities may not use legitimate interest as a legal basis
It is not allowed for public authorities to support the processing of personal data on the legal basis of legitimate interest. This is because it is for the legislator to provide the legal basis for the processing through legislation. In other words, public authorities should support their processing of personal data under applicable law. In addition, there is an unequal power relationship between public authorities and citizens.
Learn more
Request prior consultation with the national data protection authority
In some cases, companies need to request a prior consultation with the national data protection authority before commencing the processing of personal data. This applies if, after the company has carried out an impact assessment, there is still a high risk to the rights and freedoms of individuals. Please note that the company must carry out an impact assessment first, before prior consultation is requested. The national data protection authority may, through a prior consultation, assess whether it is a processing operation that complies with the GDPR or not.