Processing personal data—conducting a legitimate interest assessment
Processing personal data—conducting a legitimate interest assessment

The following Risk & Compliance practice note provides comprehensive and up to date legal information covering:

  • Processing personal data—conducting a legitimate interest assessment
  • Legitimate interest assessment process
  • Stage 1—articulate and assess your interest
  • Key ingredients of legitimate interest
  • The concept of ‘legitimate’
  • Questions to ask
  • Stage 2—necessity of processing
  • Stage 3—impact on the data subject
  • Impact on what?
  • Types of impact
  • More...

Processing personal data—conducting a legitimate interest assessment

The UK General Data Protection Regulation (UK GDPR) permits processing of personal data where that processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

There is clearly a balancing exercise to be done: your legitimate interests versus the fundamental rights and freedoms of the data subject.

The outcome of the assessment largely determines whether legitimate interests may be relied on as a lawful ground for processing personal data. For more guidance on legitimate interest as a lawful ground for processing, see Practice Note: Processing personal data—legitimate interests.

This Practice Note provides guidance on how to conduct a legitimate interest assessment under the UK GDPR. It is based on the UK GDPR, together with:

  1. detailed guidance from the Information Commissioner’s Office (ICO) on legitimate interests under the UK GDPR, and

  2. European guidance published by the Article 29 Working party (now EDPB) on the Notion of legitimate interests

The EDPB guidance predates the EU GDPR, but was adopted in anticipation of the EU GDPR. According to the ICO, EDPB guidelines are no longer directly relevant to the UK regime and are

Related documents:

Popular documents