LEGITIMATE INTEREST ASSESSMENT
What is a balance test (legitimate interest assessment)?
When invoking the legitimate interests in the processing of personal data, the data controller must assess whether such interests are overridden by the interests or rights of data subjects. This assessment is made in the so-called balance test. Legitimate interest as a ground for processing is therefore by no means the easiest or necessarily the most useful ground for processing personal data, but requires weighing up the interests of the parties and carefully documenting this consideration. The description can help to verify the obligation to demonstrate accountability.
When should the balance test be done?
The balancing test should be performed whenever a legitimate interest is invoked as a basis for processing. It should also be documented when data is processed in marketing or within a group of companies.
How does the test progress in practice?
It is assessed whether a legitimate interest is the most appropriate ground or whether another ground, such as consent or agreement, could be invoked.
Assess whether the basic requirements for a legitimate interest are met, ie whether the interest is: (a) lawful, (b) clearly expressed, and (c) real and immediate (not speculative).
Assess whether the processing of personal data is necessary to achieve the benefit. If the benefit can be obtained without the processing of personal data, the legitimate interest should not be invoked.
Assess whether the benefit overrides the fundamental rights and freedoms of the data subject. First, the nature of estimated interest, namely that (a) the type of controller or third-party interest is concerned, (b) what kind of benefits processing of personal data should be, and (c) what kind of harm would be the examination of the application. It then considers the implications for the data subject, i.e. (a) the nature of the personal data, (b) how the personal data would be processed (e.g. large-scale processing, aggregation, data mining, profiling, publication), (c) how the processing operations would affect the data subject. The following will be further analyzed: (a) whether the data subject could expect his data to be used in this way, (b) whether it is likely that the data subject would oppose or at least question the processing of his/her data, (c) whether the data subject and the controller have a special status (e.g. children's data or registered in an otherwise vulnerable position.
Ensure additional data protection guarantees. In proportion to the risks, the means may be e.g. (a) technical and organizational measures to ensure that the data are not used for decisions concerning the data subject or for other purposes (so-called functional separation); (b) widespread use of anonymisation techniques; (c) use of privacy enhancing technologies (eg impact assessment); (d) encryption of personal data.
Ensuring the legality and transparency of operations, e.g. by preparing a privacy statement and enabling the data subject to exercise the right of object easily.