When a processing activity is based on legal basis “Legitimate interest”, a balancing test or Legitimate Interest Assessment (LIA) is required. This is how you can conduct such an assessment within RESPONSUM.
See it in action
Pre-requisites to get started
- Permissions on the “Legitimate interest balancing tests (LIA)” sub-module (Under “Privacy” >> “Assessments”) as Promoted user or Power User.
Fast-track to Brilliance
- Select the “Privacy” menu in the main menu bar
- Under “Assessments”, select “Legitimate interest assessment (LIA)”
- Add a new LIA by clicking the “+ Create” or selecting one followed by “Edit” to update an existing assessment
- In the “Identifying legitimate interest” section you can first add some general details such as the reference to the related processing activities and some first checks towards the use of legitimate interest, alternatives and interest for the organisation. Depending on the answers provided, more fields will be shown and it can already lean towards being able to use legitimate interest or not
- In the “Scope definition” section you can provide some info around the data being processed under the Legitimate interest legal basis
- In the “Balance of the interest” section we will really start to look into the interests of the organisation and the negative impact towards the data subjects. This is done based on a set of 9 questions
- In the “Conclusions” section we will provide you the result based on the build in scoring and indicate if legitimate interest can be used without issue or should be re-considered. Off course you can overwrite the score suggested by RESPONSUM if other parameters are at play.
- Don’t forget to press ‘create’ or ‘save’ to make sure all your work is saved!
Step-by-step guidance
Go to ‘Privacy’ menu in the top bar, and select ‘Assessments’ >> “Legitimate Interest Assessment (LIA)”. When you are transferred to the overview page, click the ‘Create’ button to get started.
1. Identifying legitimate interest
- Name: Give the LIA a name, ideally the name should be short and reflective of the issue.
- Related processing activities: Select one or more processing activities the LIA is related to.
- Indicate the Importance of this Processing Activity: Select the interest for the organisation that this processing activity takes place.
- Can the intended Processing Activity be carried out based on another Legal basis other than Legitimate Interest?: Indicate if another legal basis could be used
- If “Yes” is indicated you can add details to:
- Description: Extra description on the other legal basis
- Other legal basis: Selection from the list of legal bases to select the alternative option
- If “Yes” is indicated you can add details to:
- Is this Processing Activity necessary for one or more organisational purposes?: Indicate again the importance of the activity for the organisation.
- If “Yes” is indicated you can add details to:
- Describe this (these) purpose(s): Give more details on the purpose if required
- If “Yes” is indicated you can add details to:
- Is this Processing Activity necessary for one or more Organisational Purposes of a Third Party?: Similar question is before, but now in light of the importance of execution towards a third party.
- If “Yes” is indicated you can add details to:
- Describe this (these) purpose(s): Give more details on the purpose if required
- Describe the Third Party: Give more info on the involved third party
- If “Yes” is indicated you can add details to:
- Is there an allowed exception in the law, recitals, guidelines, advises or opinions?: Indicate if there is an exception defined by law or in advices or guidelines that allows the use of legitimate interest for this activity by default.
- If “Yes” is indicated you can add details to:
- Select an exception: Gives you a list of possible exceptions to choose from
- If “Yes” is indicated you can add details to:
2. Scope definition
- Indicate the frequency of interactions between the organisation and the individual whose personal data are being processed?: How often does the processing activity/set of processing activities entail contact with the data subjects.
- What is the relationship between the individual whose personal data are being processed and the organisation?: Selection of the option that fits closed to the relationship between company and data subject.
- Have the personal data been obtained directly or indirectly from the individual?: Method of obtaining the personal data from the data subject.
- When/how has the data subject been informed about the processing activity? (Choose the most appropriate answer): Time of informing the data subject of the processing taking place.
- Can the involved data subjects easily exercise their right to object?: Questioning if the “Right to object to processing” can easily be requested.
- Who holds the power to decide whether or not the Personal data processing activity will take place?: Determination of who has the determining power for the processing activity to take place or not.
3. Balance of the interests
- Set of 9 “Yes/No” questions distributed over benefit for the organisation related to the processing and negative effects on the data subject when it were to take place
4. Conclusion
- Calculated suggestion: this displays an automatically calculated balance of the interests based off all your answers.
- More towards the left means Legitimate interest for the company with less or no negative effects for the data subject
- More towards the right (Higher score) means that there might be a high interest for the organisation but also more negative impacts for the data subject (Making legitimate interest less suitable for the activity)
- You can agree or disagree with score by using the final decision to say if legitimate interest can be used or not.
Legitimate interest assessment
This LIA is based on the Guidance on LIA by the Data Protection Network (V2) but adapted by RESPONSUM to add an objective calculation based on weights towards the interest of the organisation and negative impacts for the data subject.
DISCLAIMER: The score provided by RESPONSUM is an indication based on context questions. RESPONSUM cannot be held accountable for any actions taken based on this calculation and allows the user to with an explanation overwrite the conclusion/score if required based on additional context that is not covered by the calculation.
RESPONSUM will provide a legitimate interest score on the “Conclusion” page.
The following calculations are being used for this assessment:
| Section | Question | Answer | Interest of the organisation | Impact on data subject |
|---|---|---|---|---|
| Identifying Legitimate interest (S1Q1) | Can the intended Processing Activity be carried out based on another Legal Ground other than Legitimate Interest? | No | 0 | 0 |
| Yes, Consent | If this is one of the “Yes” options, Legitimate interest is by default not possible. | If this is one of the “Yes” options, Legitimate interest is by default not possible. | ||
| Yes, Performance of a Contract | If this is one of the “Yes” options, Legitimate interest is by default not possible. | If this is one of the “Yes” options, Legitimate interest is by default not possible. | ||
| Yes, Legal Obligation | If this is one of the “Yes” options, Legitimate interest is by default not possible. | If this is one of the “Yes” options, Legitimate interest is by default not possible. | ||
| Yes, Vital Interest | If this is one of the “Yes” options, Legitimate interest is by default not possible. | If this is one of the “Yes” options, Legitimate interest is by default not possible. | ||
| Yes, Public interest | If this is one of the “Yes” options, Legitimate interest is by default not possible. | If this is one of the “Yes” options, Legitimate interest is by default not possible. | ||
| Identifying Legitimate interest (S1Q2) | Is this Processing Activity necessary for one or more organisational purposes? | Yes | 25 | 0 |
| No | 0 | 0 | ||
| Identifying Legitimate interest (S1Q3) | Indicate the Importance of this Processing Activity | No Impact for the organisation | 1 | 0 |
| Benefit for the organisation | 1.5 | 0 | ||
| VeryImportant | 2 | 0 | ||
| BusinessCritical | 2.5 | 0 | ||
| Identifying Legitimate interest (S1Q4) | Is this Processing Activity necessary for one or more Organisational Purposes of a Third Party? | Yes | 5 | 0 |
| No | 0 | 0 | ||
| Identifying Legitimate interest (S1Q5) | Is there an allowed exception in the law, recitals, guidelines, advises or opinions? | If “Yes” is selected, the use of Legitimate Interest is by Default possible. Further details are not necessary. | If “Yes” is selected, the use of Legitimate Interest is by Default possible. Further details are not necessary. | |
| Scope definition (S2Q1) | What is the relationship between the individual whose personal data are being processed and the organisation? | Existing client (natural person) | 0 | 5 |
| Existing client (legal person) | 0 | 3 | ||
| Former client | 0 | 10 | ||
| Potential client | 0 | 10 | ||
| Employee or freelancer | 10 | 0 | ||
| Supplier | 5 | 0 | ||
| Others | 0 | 0 | ||
| Scope definition (S2Q2) | Indicate the frequency of interactions between the organisation and the individual whose personal data are being processed? | Daily | 4 | 20 |
| Weekly | 3 | 10 | ||
| Monthly | 2 | 6 | ||
| Several times a year | 1 | 0 | ||
| Once a year | 0 | -4 | ||
| Less than once a year | -5 | -8 | ||
| Scope definition (S2Q3) | Have the personal data been obtained directly or indirectly from the individual? | Directly | 5 | -5 |
| Indirectly | 0 | 3 | ||
| Mix of both | 2 | -1 | ||
| Scope definition (S2Q4) | Who holds the power to decide whether or not the Personal data processing activity will take place? | Organisation | 0 | 5 |
| Data subject | 5 | 0 | ||
| Relationship is in balance | 0 | 0 | ||
| Scope definition (S2Q5) | When/how has the data subject been informed about the processing activity? (Choose the most appropriate answer) | A long time before the start of the processing activity | 0 | -5 |
| Right before the start of the processing activity | 0 | 0 | ||
| During the processing activity | 0 | 3 | ||
| After the processing activity is finished | 0 | 5 | ||
| Via the privacy policy | 0 | 8 | ||
| No | 0 | 10 | ||
| Scope definition (S2Q6) | Can the involved data subjects easily exercise their right to object? | Yes | 5 | 0 |
| No | 0 | 5 | ||
| Balance of interests (S3Q1) | Would the data subject expect his/her personal data to be processed for this purpose? | Yes | 0 | 0.5 |
| No | 0 | 1 | ||
| Balance of interests (S3Q2) | Would the data subject expect this processing activity to take place? | Yes | 0 | 0.5 |
| No | 0 | 1 | ||
| Balance of interests (S3Q3) | Does the processing activity add value to a product or service for the data subject? | Yes | 0 | -10 |
| No | 0 | 5 | ||
| Balance of interests (S3Q4) | Is the processing likely to negatively impact the data subject rights? | Yes | 0 | 5 |
| No | 0 | -5 | ||
| Balance of interests (S3Q5) | Is the processing likely to result in unwarranted harm to the data subject? | Yes | 0 | 15 |
| No | 0 | -5 | ||
| Balance of interests (S3Q6) | Would there be a prejudice to the data controller if the processing doesn’t take place? | Yes | 15 | 0 |
| No | -5 | 0 | ||
| Balance of interests (S3Q7) | Would there be a prejudice to a third party if the processing doesn’t take place? | Yes | 5 | 0 |
| No | -3 | 0 | ||
| Balance of interests (S3Q8) | Is the personal data processing activity in the interests of the data subject whose personal data is being processed? | Yes | 0 | 25 |
| No | 0 | 75 | ||
| Balance of interests (S3Q9) | Can the processing be considered by the data subject as intrusive or inappropriate? | Yes | 0 | 0 |
| No | 0 | 0 |
Calculation
Interest of the organisation (Interest Score)
To combine all weights, use the following formula:
((S1Q1 + S1Q4) * S1Q3) + S2Q1+ S2Q2 + S2Q3 + S2Q5 + S2Q6 + S3Q6 + S3Q7
Bring that number to a score of 100 (by dividing by the maximum possible score)
(Interest Score /119) * 100
Impact on the data subject (Impact Score)
To combine all weights, use the following formula:
S3Q8 * Average(S3Q1 & S3Q2) + S2Q1 + S2Q2 + S2Q3 + S2Q4 + S2Q5 + S2Q6 + S3Q3 + S3Q4 + S3Q5
Bring that number to a score of 100 (by dividing by the maximum possible score):
(Impact Score /153) * 100
If you have any questions related this guide or way of working, please reach out to support@responsum.eu for assistance.