Javascript is required
logo-dastralogo-dastra

GDPR: how to assess the legitimate interests in a processing operation? Our checklist🗒️

How can we identify the reasonable expectations of the person concerned by the processing of personal data?

GDPR: how to assess the legitimate interests in a processing operation? Our checklist🗒️
Paul-Emmanuel Bidault
Paul-Emmanuel Bidault
27 December 2023·4 minutes read time

Les intérêts légitimes constituent une des six bases légales du RGPD permettant de traiter des données à caractère personnel.

Legitimate interests are one of the six legal bases of the GDPR for processing personal data.

Why is it essential to define legitimate interests? ⚠️

The GDPR requires data controllers to document their compliance. As such, it is compulsory to keep a record of data processing activities (ROPA) but also to justify the decisions taken on the subject of data protection.

According to Article 6 of the GDPR, for this legal basis to be valid, the legitimate interests must not override the rights and freedoms of the persons concerned by the processing.

Reminder: this legal basis is not possible for processing carried out by public authorities in the performance of their duties.

When choosing this legal basis, it is important to document your choice if it is not obvious.

The legal basis of legitimate interests may be used without having to be justified in the following cases:

  • Guaranteeing the security of a computer network and information system
  • To prevent fraud
  • Canvassing existing customers for similar products and services
  • To carry out administrative management and share data within a group (customers and HR).

In these cases, the interests are presumed to be legitimate. However, if there is any doubt about legitimacy, a test such as the one described below must be carried out.

Legitimacy test ✔️

To identify whether the interests are legitimate, here is a list of questions to ensure that you have the answer.

These questions come from the complete audit model available in Dastra. You can test it immediately and free of charge by creating an account!
This model includes the legitimacy test, but also the necessity test and the balancing test!

1.1. Why do you want to process the data?

1.2 What benefit do you hope to derive from the processing?

1.3. Do third parties benefit from the processing?

1.4. Are there wider public benefits from the processing?

1.5. How significant are these benefits?

1.6. What would be the consequences of not carrying out the treatment?

1.7 What is the expected outcome for individuals?

1.8. Is the processing necessary to comply with another regulation?

1.9. Please specify the regulations

1.10. Does the processing make it possible to comply with industry directives or a code of conduct?

1.11. Please specify the standards or codes of conduct

1.12. Does the processing raise ethical issues?

1.13. Does the processing serve one of the following purposes?
If the processing falls within one of these purposes, then the interests are presumed to be legitimate.

  • To guarantee the security of a computer network and information system
  • To prevent fraud
  • canvassing existing customers for similar products and services
  • To carry out administrative management and share data within a group (customers and HR)

1.14. If the processing does not meet the above objectives, the interests of the processing may be presumed to be legitimate if they meet the following three conditions ?
*The three conditions must be met cumulatively.

  • The interest is manifestly lawful under the law
  • It is determined in a sufficiently clear and precise manner
  • It is real and present for the organisation concerned, and not fictitious.

1.15. In the light of your answers to the previous questions, indicate precisely the purpose of the processing operation

1.16. In the light of your answers to the previous questions, indicate precisely the legitimate interests involved

Subscribe to our newsletter

We will send you a few emails to keep you informed of our news and what's new in our solution

* You will always be able to unsubscribe on each newsletter. Learn more.