What is the data protection network legitimate interests guidance for controllers? The Data Protection Network offers this guidance based on work done by its Legitimate Interests Working Group. It aims to help commercial and not-for-profit. This article discusses the data for controllers
Data Protection Network Legitimate Interests Guidance For Controllers
A data protection network legitimate interest guidance for controllers is a document that helps clarify what is necessary to comply with the GDPR. The document is on work done by the legitimate interests working group.
Legitimate interest is the most flexible of the GDPR’s lawful basis for processing personal data. Theoretically, it applies whenever an organization uses personal data in a way that the data subject would expect.
GDPR
The Data Protection Network offers this guidance based on work done by its Legitimate Interests Working Group. It aims to help commercial and not-for-profit organizations comply with the General Data Protection Regulation (GDPR).
The GDPR states that a legitimate interest may justify the processing of personal data. The term ‘legitimate interest’ has not been in the GDPR.
But Recital 50 suggests that it includes balancing interests such as public interest, the interests of commercial organizations, and the fundamental rights of individuals.
This guidance is on a working definition of legitimate interest drawn up by the DPN Legitimate Interests Working Group. It is to help organizations determine whether or not processing is lawful under the GDPR.
Assessment
Some personal data is sensitive and covered by extra rules, so organizations might not be able to process it at all. But a lot of personal data is not liable.
When organizations need to process this data, they can use legitimate interest as a lawful basis for doing so.
This guidance is to help commercial and not-for-profit organizations determine if the GDPR allows them to use legitimate interests as a lawful basis for processing personal data.
Important Steps
Under the GDPR, the data controller decides whether processing personal data is lawful. The GDPR does not require controllers to have a legitimate interest. Instead, it lets them decide this for themselves.
The GDPR says that processing is lawful if it is necessary for: fulfilling a contract with the individual; compliance with legal obligations (such as tax and accounting); protecting the vital interests of an individual, and for public interest reasons (including official statistics).
But it also says that the controller cannot rely on legitimate interest as a basis if the processing is likely to cause substantial damage or distress to the data subject.
Challenges
The GDPR is a detailed, text-heavy piece of legislation. Some organizations find that it is difficult to interpret.
This is especially true of legitimate interest as a lawful basis for processing. The GDPR does not give much detail about how organizations should use legitimate interests.
This guidance is to help organizations determine whether or not they can rely on legitimate interests as a basis for processing personal data.
It gives an overview of the legal principles that the GDPR says organizations must consider when using legitimate interests. It also includes practical advice about how to apply these principles when making decisions about processing personal data.
Conclusion
This guidance is to help organizations comply with the GDPR. It is not legal advice. Organizations should seek legal advice when making decisions about processing personal data.
The GDPR states that a legitimate interest may justify the processing of personal data. The term ‘legitimate interest’ has not been in the GDPR.