Legitimate Interest Assessment Procedure
Legitimate Interest Assessment Procedure
GDPR Toolkit Version 4 ŠCertiKit
Version 1
Page 1 of 12
[Insert date]
Legitimate Interest Assessment Procedure
Implementation Guidance (The header page and this section must be removed from final version of the document)
Purpose of this document This procedure sets out how a legitimate interest assessment should be conducted, in order to determine whether this lawful basis may apply to a specific processing of personal data.
Areas of the GDPR addressed The following articles of the GDPR are addressed by this document: Article 6 – Lawfulness of processing
General Guidance Legitimate interest is a useful alternative to relying on consent for processing and may be appropriate in a number of instances, but you must be able to show that you have reached this conclusion based on a reasonable consideration of the issues involved.
Review Frequency We would recommend that this document is reviewed at least annually.
Toolkit Version Number GDPR Toolkit Version 4
Document Fields This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”. To update this field (and any others that may exist in this document): 1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name 2. Press Ctrl a on the keyboard to select all text in the document (or use Select, Select All on the ribbon) 3. Press F9 on the keyboard to update all fields
Version 1
Page 2 of 12
[Insert date]
Legitimate Interest Assessment Procedure
4. When prompted, choose the option to just update TOC page numbers If you wish to permanently convert the fields in this document to text i.e. so that they are no longer updateable, then you will need to click into each occurrence of the field and press Ctrl Shift F9. If you would like to make all fields in the document visible then go to File > Options > Advanced > Show document content > Field shading and set this to “Always�. This can be useful to check that you have updated all fields correctly. Further detail on the above procedure can be found in the Toolkit Completion Instructions within the Project Resources folder.
Copyright notice Except for any third party works included in this document, as identified in this document, this document has been authored by CertiKit, and is Š copyright CertiKit except as stated below. CertiKit is a trading name of Public I.T. Limited, a company registered in England and Wales with company number 6432088 and registered office at 5 Falcons Rise, Belper, Derbyshire, DE56 0QN.
Licence terms This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence. If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third party copyright included in this document.
Disclaimer Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use. Therefore please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country. You should take all reasonable and proper legal and other professional advice before using this document. CertiKit makes no claims, promises, or guarantees about the accuracy, completeness, or adequacy of our document templates, assumes no duty of care to any person with respect its document
Version 1
Page 3 of 12
[Insert date]
Legitimate Interest Assessment Procedure
templates or their contents, and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.
Version 1
Page 4 of 12
[Insert date]
Legitimate Interest Assessment Procedure
[Replace with your logo]
Legitimate Interest Assessment Procedure
Document Ref. Version: Dated: Document Author: Document Owner:
Version 1
Page 5 of 12
GDPR-DOC-03-2 1 [Insert date]
[Insert date]
Legitimate Interest Assessment Procedure
Revision History Version Date
Revision Author
Summary of Changes
Distribution Name
Title
Approval Name
Version 1
Position
Signature
Page 6 of 12
Date
[Insert date]
Legitimate Interest Assessment Procedure
Contents 1
INTRODUCTION ....................................................................................................................................... 8
2
LEGITIMATE INTEREST ASSESSMENT PROCEDURE .................................................................. 9 2.1 THE PURPOSE TEST ................................................................................................................................ 9 2.1.1 Objectives ................................................................................................................................... 10 2.1.2 Benefits ....................................................................................................................................... 10 2.1.3 Impact of not processing ............................................................................................................ 10 2.1.4 Other Issues ................................................................................................................................ 10 2.2 THE NECESSITY TEST .......................................................................................................................... 11 2.3 THE BALANCING TEST ......................................................................................................................... 11 2.4 ASSESSMENT DECISION ....................................................................................................................... 12
Version 1
Page 7 of 12
[Insert date]
Legitimate Interest Assessment Procedure
1 Introduction There are six alternative ways in which the lawfulness of a specific case of processing of personal data may be established under the GDPR. It is [Organization Name] policy to identify the appropriate basis for processing and to document it, in accordance with the Regulation. The options may be listed as follows: • • • • • •
Consent Performance of a contract Legal obligation Vital interests of a data subject Task carried out in the public interest Legitimate interest
This procedure is intended to be used when it has been identified that the lawful basis of processing in a particular case might be based on legitimate interest. This procedure should be considered in conjunction with the following related documents: • • • • •
Data Protection Policy Records Retention and Protection Policy Personal Data Analysis Procedure Data Subject Request Procedure Data Protection Impact Assessment Process
Version 1
Page 8 of 12
[Insert date]
Legitimate Interest Assessment Procedure
2 Legitimate Interest Assessment Procedure The GDPR allows for the processing of personal data to be lawful where: “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.” (GDPR Article 6 point f) In general, legitimate interest will apply in cases where the processing might reasonably be expected by the data subject and where its impact on the data subject’s privacy is not significant. It may also apply where there is a strong, justified reason for the organisation to carry out the processing. In Recital 47, the GDPR mentions the examples of fraud prevention and direct marketing as being good candidates for legitimate interest, as long this could reasonably be expected by the data subject e.g. where he/she is an existing customer of the controller. In order to fully establish, and be able to show, that legitimate interest is a reasonable basis for processing in a specific case, a three-part test must be applied. This test requires the organisation to demonstrate: 1. the precise nature of the legitimate interest (the Purpose test) 2. that the processing is necessary for the legitimate interest (the Necessity test) 3. that the data subject’s interests, rights and freedoms do not override the organisation’s legitimate interests (the Balancing test) This procedure uses the Legitimate Interest Assessment Form to document each of the above tests and provide evidence, when required, that a fair assessment has been carried out. All three tests are to a great extent subjective in nature, and care should be taken that a fair and balanced approach is used and a reasonable, defensible conclusion drawn.
2.1
The Purpose Test
The purpose test seeks to establish whether the interest stated is indeed legitimate for the organisation, or for a relevant third party. This test involves defining the exact reasons for the processing and the benefits of it. On the Legitimate Interest Assessment Form, provide a considered answer to the stated questions in the following areas, including any further detail where appropriate.
Version 1
Page 9 of 12
[Insert date]
Legitimate Interest Assessment Procedure
2.1.1
Objectives
Describe what the processing is intended to achieve, in particular: • • •
What are the objectives of the processing? How will you know if it has achieved its purpose? How likely are the objectives to be met by the processing?
Try to provide a clear statement of exactly what the processing involves e.g. direct marketing of supplementary products and services to existing customers, leading to more sales. 2.1.2
Benefits
Assess what the results of the processing provide: • • •
What benefits (could) derive from the processing? How significant are these benefits (quantify if possible)? Who will receive the benefits of the processing e.g. the organisation, the public, the data subject?
Give as rounded a view as possible of the overall benefits of the processing to all parties involved, not just for the organisation. Continuing with the direct marketing example, information about your products may provide customers with a solution to a problem they have, and you may be offering a discount. 2.1.3
Impact of not processing
Describe the potential impact of not processing the personal data in the way proposed. • • •
How significant would the impact be? How likely is it that the impact would be felt? Who would be impacted by not processing?
This may simply be the opposite of the benefits, but for example (direct marketing again), if the organisation needs more sales to remain viable, then an impact of not processing the personal data could be job losses. 2.1.4
Other Issues
Any other issues that might be relevant: • •
Has this processing been carried out before, and if so, what were the results? Is the processing ethical?
Version 1
Page 10 of 12
[Insert date]
Legitimate Interest Assessment Procedure
•
Would the processing have any negative impact and, if so, what and for whom?
There may be other factors for and against the processing and it is important to present a balanced view. Try to use firm facts where possible, rather than subjective opinions.
2.2
The Necessity Test
In order for legitimate interest to be a valid lawful basis for processing personal data, it has to be shown that the processing is actually required for the benefit to be gained. Consider whether there are other ways to achieve the objectives stated in the purpose test which don’t involve processing the personal data, or involve processing less of it. On the Legitimate Interest Assessment Form, explain why the processing must happen in the way described for the intended benefits to be forthcoming. In particular: • • •
How does the processing relate to the benefits expected? Is the processing as proposed the best way to achieve the end result? What alternatives have been considered and why were they rejected?
Staying with the direct marketing theme, the objective of increasing sales could be met via advertising which doesn’t involve the processing of personal data. However, this method may not provide as good a return on investment as emailing customers who have already purchased similar products and services.
2.3
The Balancing Test
Having established the nature of the interest, its benefits and the fact that the processing is necessary for the benefits to be gained, the final step is to assess whether the identified interest overrides the privacy interests of the data subjects involved. Use the Legitimate Interest Assessment Form to assess this balance of interests by addressing the following questions: •
Who are the data subjects?
How can the data subjects be typically categorized? Pay particular attention to whether any of them belong to vulnerable groups such as children, or if there are any cultural considerations. •
What is the organisation’s relationship with the data subject?
Consider whether the organisation is known to the data subject and if so, what the nature of the relationship is e.g. are they a customer, a service user or an applicant?
Version 1
Page 11 of 12
[Insert date]
Legitimate Interest Assessment Procedure
•
What personal data are involved in the processing?
Do any of the personal data being processed fall into special or sensitive categories, such as political opinion or biometric e.g. fingerprints •
What is the likely reaction of the data subject to the processing?
Would the data subject reasonably expect the processing to be carried out or are they likely to regard it as intrusive or inappropriate? Any consultation with representatives of the data subjects would add weight to the case in this area. •
What is the potential impact on the data subject?
What consequences could the processing have on the data subject e.g. could it take their time, affect their reputation or cost them money? •
How could the impact on the data subject be lessened?
Are there any techniques or approaches that could be used to reduce the impact on the data subject e.g. emailing rather than telephoning, or give them an element of choice e.g. an unsubscribe or opt-out?
2.4
Assessment Decision
Once the three tests have been completed, an assessment must be made about whether, on balance, the processing may be considered to be lawful based on legitimate interest. The decision made must be recorded on the Legitimate Interest Assessment Form together with details of who carried out the assessment and when, and who approved the decision. Records of legitimate interest assessments must be retained as evidence that such an assessment was carried out, and as input to the relevant privacy notice.
Version 1
Page 12 of 12
[Insert date]