Audit modelAnalysis of legitimate interests (LIA)
1. Legitimacy test
If the processing falls within one of these purposes, then the interests are presumed to be legitimate.
All three conditions must be met cumulatively.
2. Necessity test
The aim of this examination is not to ensure compliance with the specific provisions of the RGPD: rather, the organization must ensure that there is no obvious infringement of the essential content, the very substance of these rights. This means taking into account the main principles of the RGPD and its main lines of force.
For example, the processing of data relating to children, the implementation of massive processing or relating to sensitive data, the absence of control by individuals over their data constitute indications of a risk of serious infringement of the right to data protection.
Such as, for example, freedom of thought, conscience and religion, freedom of expression and information, freedom of assembly and association, the right to property, the right to asylum, the rights of the child and the elderly, social rights, citizenship rights, etc... ;
For example, the processing of data in such a way as to restrict access to essential information, such as certain political speeches, is a clear infringement of freedom of information.
This means examining whether the processing impacts on their particular situation, over and above its possible impact on their rights, such as their physical, economic or social situation.
For example, the interests of individuals may take precedence over the legitimate interests of the controller if the processing causes them financial harm or deprives them of access to an essential service.
The reasonable expectations of individuals should not be confused with the information that must necessarily be brought to their attention in application of the principle of transparency. This is what a person can legitimately expect from the processing of his or her data, in the situation of the data subject and in the context of the collection. In practice, this means that the processing must not come as a surprise to the people whose data is being processed, by being, for example, totally uncorrelated with the objective pursued or the service rendered.
For example, a social network's "service promise" is to put people in touch with each other, not to profile them with a view to sending them personalized advertising.
Compensatory measures consist of obligations of means fulfilled in a "premium" manner, as thorough as possible, or in additional guarantees to the requirements of the RGPD. They must concern the main risks of infringement of interests, rights and freedoms previously identified by the data controller and may therefore also aim to limit impacts that do not concern privacy in the strict sense.
For example, if the risk identified by the organization concerns people's control over their data, the implementation of "dashboards" enabling them to manage their preferences and exercise their rights, or allowing them to object to the processing of their data without giving any particular reason, may constitute such additional measures.
Other examples: pseudonymization or anonymization in the case of large amounts of fine-grained data that are not strictly necessary; setting up an ethics committee to monitor the possible negative effects of the use of algorithms, or in the case of medical research (apart from the obligations set out in the texts); setting up parental filters for processing aimed at children; etc.
In the event of imbalance, the data controller must therefore provide for such compensatory measures, and check that their application effectively achieves a balance between its legitimate interests and the rights and interests of the data subjects concerned by the processing it wishes to implement. If the weighting appears balanced, the data controller can base his processing on the legal basis of legitimate interest; if not, another legal basis, such as consent, should be sought.
Attribution / Pas d'utilisation commerciale