Applying “Legitimate Interests” in Practice under the GDPR

Written by Teresa Troester-Falk
on August 09, 2018

In previous blogs, we have discussed the legitimate interests as a lawful ground for processing data under the GDPR. Organisations that chose to rely on legitimate interests must engage in an internal assessment to ensure that their processing is lawful. Recording this internal assessment will help you demonstrate compliance in line with your accountability obligations under Articles 5(2) and 24. To that end, it is helpful to produce a “Legitimate Interests Report.” This report should be organised in three parts according to the requirements of the GDPR under Article 6(1)(f).

Three-Part Legitimate Interests Report

  • Part 1 – Existence of a Legitimate Interests (Purpose): This part identifies the legitimate interests. They can be the interests of the controller or of a third party and can include commercial interests, individual interests or broader societal benefits.
  • Part 2 – Necessity: This part helps determine whether the processing is necessary. Regulators have indicated that if you can achieve the same result in a less intrusive way, legitimate interests will not apply.
  • Part 3 – Balancing Exercise with PbD Effectiveness Questions: Organisations must balance their interests against the individuals’. If the processing would cause unjustified harm or if individuals would not reasonably expect the processing, then the interests of individuals are likely to override the legitimate interests. Regulators and Courts have shown that the more effective safeguards that are in place, the more the balance will shift in favour of the legitimate interests.

The results from your test can be used to generate the “legitimate interests report” which serves as a record of legitimate interests determination, and helps demonstrate compliance, if required. An Approver must sign and date the report, indicating if legitimate interests can be relied upon for the stated processing. Note that the GDPR requires that organisations include details of their legitimate interests in their privacy notices. If the processing changes, a new legitimate interests assessment is required.

There is no standard format for a record of the consideration, but it’s important to document your thinking to help show you have proper decision-making processes in place and to justify the outcome. Below is sample of a Legitimate Interest Report that documents such thinking and is easily generated using ExpertPIA.

There is no standard format for a record of the consideration, but it’s important to document your thinking to help show you have proper decision-making processes in place and to justify the outcome. Below is sample of a Legitimate Interest Report that documents such thinking and is easily generated using ExpertPIA.

Legitimate-Interests-Report

The white paper’s summary of cases contains useful examples of how the balancing exercise is conducted in practice, as well as safeguards that were needed to tilt the balance and make the processing lawful.

1 DPA Netherlands (May 20, 2015). https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/ontwerpbesluit_adecco.pdf
2 DPA Slovenia – Opinion 0712-1/2015/3046.https://www.ip-rs.si/vop/zbiranje-izjav-o-cepljenju-proti-okuzbi-s-hpv-2664/

You may also like:

nov-20-blog-banner-scaled
GDPR ccpa
New IAPP and TrustArc Report Reveals a Majority of Companies Are Embracing a Single Global Data Protection Strategy

Survey explores differences in data and privacy practices based on company size, location, sector and geographic reach

nov20-blog-banner-scaled
GDPR ccpa
TrustArc’s Nymity Awareness Tracker Enables Privacy Knowledge Across Entire Business

Tailored Information Empowers Privacy Champions at Every Level

ta-nym-banner
GDPR ccpa
REIMAGINING PRIVACY: TrustArc Acquires Nymity

Terry McQuay, President and Founder at Nymity Today we’re pleased and proud to be announcing that Nymity, the company ...