Click here to go straight to the page from where you can download your copy of this Legitimate Interests Assessment Template.
This is a (pretty good but unlikely to be perfect) template for use when you need to do a Legitimate Interests Assessment. You should complete this document because it gives you an insight into the applicability of legitimate interests and hence enables you to decide whether or not ‘Legitimate Interests’ is a suitable lawful basis for processing personal data under Article 6 of the General Data Protection Regulation (GDPR).
Disclaimer – this is not a legal review and nothing in it should be construed as such. If you want or need a legal view, please speak with a suitably experienced and qualified lawyer.
About this Legitimate Interest Assessment Template
Article 6 of the GDPR makes it clear that there are six types of lawful processing, of which ‘legitimate interests’ is one:
“6 f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
However if you wish to use this as your lawful reason for processing personal data, you should also be aware of the following sentences in Recital 47;
“The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing.”
The key takeaway is that “the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place.”
So how do you do this? Simple. You use the Legitimate Interests Assessment Template
It takes you through a series of Yes/No questions and then provides you with a set of ‘balancing test questions.’ Write down your answers, add up the scores and see if your result is Positive or Negative. If the Legitimate Interests Assessment Template shows a total that is + (positive) it is likely that this activity meets the requirements for processing under ‘legitimate interests.’ If it’s 0 or – (negative) you are unlikely to be able to use this basis for processing and would need to find another lawful basis for your processing activity.
You should also be aware of Recital 49 which explains that ‘legitimate interests’ is acceptable where;
“The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.”
This template is intended for use in situations where this activity, as described in Recital 49 is not appropriate i.e. where you are not invoking a need for using personal data to prevent unauthorised access…
Please note that I have based this document on a couple of sources (in addition to the GDPR itself). These are;