Javascript is required
logo-dastralogo-dastra

Audit modelAnalysis of legitimate interests (LIA)

GDPR
Questionnaire to document the justification of the "legitimate interests" legal basis. This questionnaire enables legitimate interests to be analyzed by means of three tests: 1 - the legitimacy test 2 - the necessity test 3 - the proportionality test

1. Legitimacy test

1.1. Why do you want to process data?
1.2. How do you expect to benefit from the data processing?
1.3. Do third parties benefit from the data processing?
1.4. Does the data processing offer broader benefits for the public?
1.5. How important are these advantages?
1.6. What are the consequences of not carrying out the treatment?
1.7. What is the desired outcome for individuals?
1.8. Is the processing necessary to comply with another regulation?
1.9. Please specify regulations
1.10. Does the processing make it possible to comply with sectoral directives or a code of conduct?
1.11. Please specify standards or codes of conduct
1.12. Does the data processing activity pose any ethical problems?
1.13. Does the processing meet any of the following objectives?

If the processing falls within one of these purposes, then the interests are presumed to be legitimate.

1.14. If the processing does not meet the above objectives, the interests of the processing may be presumed legitimate if they meet the following three conditions.

All three conditions must be met cumulatively.

1.15. In the light of your answers to the previous questions, please indicate the precise purpose of the processing.
1.16. In the light of your answers to the previous questions, please specify the legitimate interests involved.

2. Necessity test

2.1. Will the data processing activity really help you achieve your goal?
2.2. Is the process used proportionate to the objective pursued? Is the process the least intrusive (e.g. a device that does not process personal data, or a different process that is more protective of privacy)?
2.3. Can you carry out the processing without using any personal data? or less data?
2.4. In view of your answers to the previous questions, do you consider that the processing is absolutely necessary to achieve the purpose described in section 1?

3. Balancing

3.1. Does the data processing activity infringe the right to data protection and privacy?

The aim of this examination is not to ensure compliance with the specific provisions of the GDPR: rather, the organization must ensure that there is no obvious infringement of the essential content, the very substance of these rights. This means taking into account the main principles of the GDPR and its main lines of force.

For example, the processing of data relating to children, the implementation of massive processing or relating to sensitive data, the absence of control by individuals over their data constitute indications of a risk of serious infringement of the right to data protection.

3.2. Does the data processing affect other fundamental rights?

Such as, for example, freedom of thought, conscience and religion, freedom of expression and information, freedom of assembly and association, the right to property, the right to asylum, the rights of the child and the elderly, social rights, citizenship rights, etc... ;

For example, the processing of data in such a way as to restrict access to essential information, such as certain political speeches, is a clear infringement of freedom of information.

3.3. Does the processing affect people's interests?

This means examining whether the processing impacts on their particular situation, over and above its possible impact on their rights, such as their physical, economic or social situation.

For example, the interests of individuals may take precedence over the legitimate interests of the controller if the processing causes them financial harm or deprives them of access to an essential service.

3.4. Specify the reasonable expectations of data subjects.

The reasonable expectations of individuals should not be confused with the information that must necessarily be brought to their attention in application of the principle of transparency. This is what a person can legitimately expect from the processing of his or her data, in the situation of the data subject and in the context of the collection. In practice, this means that the processing must not come as a surprise to the people whose data is being processed, by being, for example, totally uncorrelated with the objective pursued or the service rendered.

For example, a social network's "service promise" is to put people in touch with each other, not to profile them with a view to sending them personalized advertising.

3.5. Is there an imbalance between the interests and rights involved?
3.6. If so, what compensatory measures have been implemented to rebalance the interests and rights involved?

Compensatory measures consist of obligations of means fulfilled in a "premium" manner, as thorough as possible, or in additional guarantees to the requirements of the RGPD. They must concern the main risks of infringement of interests, rights and freedoms previously identified by the data controller and may therefore also aim to limit impacts that do not concern privacy in the strict sense.

For example, if the risk identified by the organization concerns people's control over their data, the implementation of "dashboards" enabling them to manage their preferences and exercise their rights, or allowing them to object to the processing of their data without giving any particular reason, may constitute such additional measures.

Other examples: pseudonymization or anonymization in the case of large amounts of fine-grained data that are not strictly necessary; setting up an ethics committee to monitor the possible negative effects of the use of algorithms, or in the case of medical research (apart from the obligations set out in the texts); setting up parental filters for processing aimed at children; etc.

In the event of imbalance, the data controller must therefore provide for such compensatory measures, and check that their application effectively achieves a balance between its legitimate interests and the rights and interests of the data subjects concerned by the processing it wishes to implement. If the weighting appears balanced, the data controller can base his processing on the legal basis of legitimate interest; if not, another legal basis, such as consent, should be sought.

Created at:06/12/2023

Updated on :07/29/2024

License : © Creative commons :
Attribution / Pas d'utilisation commerciale
CC-BY-NC AttributionPas d'utilisation commerciale

author :
Maëva Vidal
Maëva Vidal

Uses :3


Access all our audit templates

Try Dastra now to access all of our audit templates that you can customize for your organization.It's free and there's no obligation for the first 30 days (no credit card required)

Build my audit
Subscribe to our newsletter

We will send you a few emails to keep you informed of our news and what's new in our solution

* You will always be able to unsubscribe on each newsletter. Learn more.