GDPR Learning Hub

login/sign up
Menu
{{ search }}
login/sign up
  • Buy GDPR-courses
  • Learn about the GDPR
  • Download free checklists
  • Take free quizzes
  • Buy GDPR Templates

Six phases to analyze a legitimate interest

By /

There are six phases to go through in order to analyze whether a legitimate interest exists for the company (or a third party that is the data controller). If the analysis results in the existence of a legitimate interest in the processing, the company may carry out processing of the personal data.

Legitimate interest is one of the six legal bases under the General Data Protection Regulation (EU) 2016/679 (GDPR). Article 6 of the GDPR states the legal bases. A company must always have a legal basis for processing personal data. This applies to each individual processing of personal data.

However, it is not always permissible to use “legitimate interest” as the legal basis for processing personal data. Article 6(1)(f) of the GDPR states this legal basis.In order to know whether it is an appropriate legal basis to use or not, the company should go through the following six phases to analyze whether a legitimate interest exists. 

Here are six phases to go through in order to analyze whether a legitimate interest exists

Phase 1: Analyze whether legitimate interest is the most appropriate legal basis to use in the specific case 

Legitimate interest is not always an appropriate legal basis to use for processing personal data. There are some cases when a company should not use consent as a legal basis. For example, the company should avoid this legal basis if there is an unequal power relationship between the controller and the data subject, where the data subject is the weaker party. Such as between employers and employees, or between authorities and citizens. 

It is also not always allowed for a company to use this legal basis if the personal data belongs to children. 

Therefore, companies should carry out an analysis to see if any other legal basis is more appropriate. For example, “contract with the data subject” pursuant to Article 6(1)(b) or “consent” pursuant to Article 6(1)(a) of the GDPR. 

However, it is also important to keep in mind that there are some situations when a company should not use consent as a legal basis.

Phase 2: Make sure your company meets the basic requirements of GDPR 

– Legally: The processing must comply with the data protection principles of the GDPR and other rules. In addition, the processing must comply with other laws and regulations of the country.

– Explicitly inform: According to the GDPR, companies must inform the data subjects about the processing. This also applies when the legal basis is legitimate interest. The information should make it possible to understand why the interest of the company in the processing outweighs the interest of the data subject.

Real need: In addition, the company must have a real need to process the personal data. Rather than doing so for speculative purposes.

Phase 3: Analyze whether it is possible to achieve the same objective without processing the personal data on the basis of legitimate interest 

In some cases, a company may apply other methods to achieve the same objectives and results. This is an important step to analyze, the so-called “necessity test”. It is a form of proportionality test. 

The company needs to analyze and describe why the processing is necessary and crucial for the company. If it is found that the company can achieve the same objective through other means, the company should not process the personal data on the basis of legitimate interest. 

Phase 4: Carry out a Legitimate Interest Assessment (LIA)

A company may not process personal data on the basis of legitimate interest as the legal basis, if the data subject’s interest in the protection of his or her personal data and rights and freedoms outweighs the company’s legitimate interest in the processing. 

Please note that the interest of data subjects is usually higher, the more sensitive the personal data is. Also, if the data subjects are are children.

Just because a company carries out a legitimate interest assessment, it does not automatically mean that the company has the right to carry out the processing. If the company concludes that the interest of the data subject is higher, the processing is not allowed based on this legal basis. 

It is also important that the processing, in relation to the data subjects, is proportionate. This means that the processing should be proportionate to the benefit it brings. The company must therefore weigh its interests against the interests of the data subject before processing begins.

Phase 5: Technical and organizational security measures 

Companies must protect all personal data they process. The more sensitive the personal data, the more security the company needs.

In order to reduce the consequences for data subjects in the event of a personal data breach, the company should implement a combination of different technical and organizational security measures. 

Examples of some technical and organizational measures that a company can implement: 

– Encrypt personal data. 

– Anonymise personal data. 

– Use strong and unique passwords for IT systems.

– Carry out risk assessments and impact assessments. 

– Implement different permission levels for employee user accounts.

– Establish procedures to handle any personal data breaches. 

– Use multi-step authentication (MFA) when possible when logging in to different systems processing personal data. 

Phase 6: Be transparent about the processing 

The company shall be transparent with the data subjects regarding what personal data they process. Articles 13-14 of the GDPR states this. The company should inform the data subjects about the purpose of the processing. In addition, the company shall inform the data subjects of their rights. Such as, the right to be forgotten and how the data subject can object to the processing.

Related Posts

Solverwp- WordPress Theme and Plugin

Scroll to Top