The concept of "interest" is closely related to that of "purpose of processing", although they are different concepts. In terms of data protection, "purpose" is the reason specific for which the data is processed and he «interest" is the benefit that the person responsible will obtain from the treatment. But what is legitimate interest?
The "legitimate interest" is one of the six legal bases that allow the processing of personal data. Each of them has its own applicability requirements and a better fit depending on the context of the treatment. But among us, as a general rule, legitimate interest is an ace in the hole.
If you want to learn more and improve professionally in a booming sector, train with us at Master in Data Protection and learn from industry experts.
Application of legitimate interest
However, its application is not always possible. It will only be so when the legitimate interest of the person responsible prevails over the interests or fundamental rights and freedoms of the interested party that require the protection of personal data. Or, in other words, when the treatment does not cause harm to the interested party equal to or greater than the benefit sought by the company.
But beware, to correctly apply this legal basis, it is not enough for the person responsible to declare (because “I am worth it”) that the rights and freedoms of the interested parties do not prevail over their interest, but rather that has to follow a specific evaluation methodology that allows you to affirm it. Well, the result of this evaluation will determine whether or not legitimate interest (article 6.1.f) of the GDPR) can be used as the legal basis for the processing.
This methodology of legitimate interest assessment, in accordance with the criteria defined by WG29, consists of pondering: the nature and source of the legitimate interest pursued by the controller, on the one hand, and the repercussions for the data subjects, on the other.
This means that The person in charge must take paper and pen. On the one hand, you will have to document specifically what the benefit that pursues with the treatment and what would be the damages derived of not being able to achieve that goal and, most important of all, If there is an alternative to treatment that also allows you to achieve that objective.
On the other hand, the person responsible must describe the processing of personal data necessary to achieve that objective, that is, what data it will process, from whom, how it was obtained and the uses it plans to make of it. Likewise, you must value the stakeholder expectations whether or not your data is subject to processing. That is, whether or not they would be surprised to discover that the company is using their data for that purpose.
Finally, the person responsible must document the risk to which you are exposing the interested parties when processing their personal data. To do this, as in any risk analysis, the threats to which the treatment is exposed and the specific controls applied to mitigate them must be clearly identified.
Knowing how to apply legitimate interest is an essential skill for every professional dedicated to data protection. Firstly, because if you use it well you can get your client out of a good problem and, secondly, because if you use it poorly it can get you into a worse one.
Do you want to specialize in Compliance and Data Protection Management?
He Master in Compliance & Data Protection Management will make you a highly qualified professional with the necessary skills to carry out specialized tasks in two of the most relevant areas for both private businesses as for public administrations: data protection and regulatory compliance or Compliance.
