14 October 2024
This month, the CJEU confirmed that a solely commercial interests can qualify as a legitimate interests under the GDPR. This decision provides certainty for organisations which rely on legitimate interests as a legal basis for processing personal data, but it is important that Data Controllers continue to assess, on a case-by-case basis whether the intended processing could be accomplished in a less intrusive way for the impacted individuals.
Legitimate interests is one of the six lawful bases for processing personal data under the GDPR. One of the key requirements to be able to rely on legitimate interests as a legal basis is to demonstrate that the processing is justified and proportionate.
Our recommendation is to ensure a thorough Legitimate Interests Assessment (LIA) is documented, detailing each step of the process and outlining the conclusions reached. This documentation serves as evidence for the regulatory authorities and also demonstrates that the organisation complies with the accountability principle.
Once the LIA is completed, organisations must understand that it is not a one-off exercise, LIAs should be periodically reviewed and updated to reflect any changes in processing activities or regulatory requirements.
The first step in an LIA is to clearly define the purpose of the data processing. Organisations must articulate why the processing is necessary and how it aligns with their legitimate interests. This could include activities such as training AI models, direct marketing, or transferring customer data within the same company group.
Once the purpose is identified, the next step is to evaluate whether the processing is necessary to achieve that purpose. As outlined above, organisations should consider if there are less intrusive means to achieve the same result when the purpose is purely commercial. This assessment will help ensure that the data processing is proportionate and justified.
The core of the LIA is the balancing test, where organisations weigh their legitimate interests against the potential impact on individuals’ rights and freedoms. This involves considering factors such as the nature of the data, the context of the processing, and the reasonable expectations of the data subjects. Organisations should document their findings and rationale to demonstrate compliance. The DPO is a key figure in this part of the assessment.
If there are risks identified as part of the assessment, organisations should implement appropriate safeguards in order to mitigate them, where possible. These might include data minimisation, anonymisation, or enhanced security measures. Ensuring transparency with data subjects about the processing activities and their rights is also crucial.
The DPO must oversee the LIA process, ensuring compliance with data protection requirements and providing guidance when needed. It is recommended to involve Business Unit Leaders to support on the completion of the balancing test by providing insights into the business rationale for data processing.
As a summary, a comprehensive LIA should include the following key elements:
The European Data Protection Board (the EDPB) has opened a public consultation into its Guidelines on processing personal data based on legitimate interests. We will be analysing the guidelines and the results of the public consultation.
KPMG Law offers comprehensive support to organisations undertaking Legitimate Interests Assessments. We have extensive experience helping clients from different industries. Our team has a deep understanding of the GDPR requirements, we can support your organisation through every phase of the LIA process, ensuring compliance while adeptly balancing your commercial interests.
If you have any queries related to legitimate interests assessments, please do not hesitate to contact our team below. We would be delighted to hear from you.
Head of Data Protection & Privacy
Associate Director