Data Protection Toolkit - Legitimate Interests Assessment & Template

You might wish to consider relying on legitimate interests when another lawful basis (e.g. legal obligation or vital interest) is not available, or when legitimate interest presents itself as the most appropriate basis for the processing activity.

These legitimate interests can be your own (as a data controller), or the interests of third parties. Under this condition there should be clear benefit to your organisation, person or society, for the processing activity.

Contents

• What could be a legitimate interest?
• When can I rely on it?
• What if the personal data I am processing falls within the special categories of personal data?
• How do I carry out an LIA?
• What should I do if I have decided to rely on legitimate interest as my lawful basis?
• More information

What could be a legitimate interest?

The GDPR doesn’t provide a definitive or non-exhaustive list as to what is and what is not a legitimate interest, though it indicates that this could range from fraud prevention to direct marketing (Recitals 47 to 49). Every scenario will be different, however, and will ultimately need to be tested on its own merit.

It is important to remember that if you do want to rely on legitimate interests for unsolicited direct marketing by electronic communication (such as email, phone or text/SMS) additional laws apply (the Privacy of Electronic Communications Regulations). In short, unless you are contacting an existing customer whose details you obtained in the course of a sale of a product or service and provided the right to opt out, you will need to obtain the recipient's consent regardless of the outcome of your LIA.

When can I rely on it?

Legitimate interests will only be a permissible lawful basis if you can show that your processing of personal data does not override the fundamental rights and freedoms of the individual to whom the data you are processing relates (the data subject).

If you want to rely on legitimate interests as your lawful basis for a particular processing activity, you will need to carry out a Legitimate Interests Assessment (LIA) to help you to decide if this lawful basis is the most appropriate for the type of processing you want to carry out, or if you should look at the other options.

What if the personal data I am processing falls within the special categories of personal data?

If the personal data you are processing is also a special category of personal data (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation) then as well as identifying a lawful basis (such as legitimate interest) you must also comply with one of the conditions for processing special categories of personal data.

How do I carry out an LIA?

An LIA is a three part test which requires you to:

1. identify your legitimate interest;
2. show that the processing activity is necessary to achieve that legitimate interest; and
3. balance the processing activity against the rights and freedoms of the data subject.

Aside from setting out the three elements of the test, the GDPR doesn’t provide a checklist to help you decide how best to reach your conclusion. The reason for carrying out an LIA in the first place is to make you sit down and think about the processing and whether it is really fair to the individual to whom the data relates. It is not an exact science and different processing activities may require different questions to be asked.

The Information Commissioner's Office gives a list of considerations to give under each part of the test in carrying out a Legitimate Interests Assessment (LIA):

Purpose

• Why do you want to process the data – what are you trying to achieve?
• Who benefits from the processing? In what way?
• Are there any wider public benefits to the processing?
• How important are those benefits?
• What would the impact be if you couldn’t go ahead?
• Would your use of the data be unethical or unlawful in any way?

Necessity

• Does this processing actually help to further that interest?
• Is it a reasonable way to go about it?
• Is there another less intrusive way to achieve the same result?

Balance

• What is the nature of your relationship with the individual?
• Is any of the data particularly sensitive or private?
• Would people expect you to use their data in this way?
• Are you happy to explain it to them?
• Are some people likely to object or find it intrusive?
• What is the possible impact on the individual?
• How big an impact might it have on them?
• Are you processing children’s data?
• Are any of the individuals vulnerable in any other way?
• Can you adopt any safeguards to minimise the impact?
• Can you offer an opt-out?

Resource We have created an example Legitimate Interests Assessment Form based on the Information Commissioner's Office guidance to conducting a LIA. The purpose of this form is to help you carry out the purpose, necessity and balance elements of an LIA.

Answer the questions thoroughly in order to test whether your processing activity can be based on legitimate interests.

What should I do if I have decided to rely on legitimate interest as my lawful basis?

You should complete and keep a record of your assessment to provide justification for your decision to use legitimate interest as a legal basis before you start processing the data.

You will need to record what your legitimate interest is in your privacy notice along with the outcome of the LIA which you have carried out, and inform people that they have the right to object to this processing while citing specific reasons for doing so.

More information

• GDPR Article 6(1)(f)
• Information Commissioner's Office, Guide to the GDPR - Legitimate interests
• Data Protection Network, Guidance on the use of Legitimate Interests under the EU GDPR
• Article 29 Data Protection Working Party, Opinion on the notion of legitimate interests of the data controller under the 1995 Directive

Hubs

• gdpr