[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f8M1kNCq1hxWxPu28OHEeih1WirDGu5haw0-XOd1bTT4":3},{"tableOfContents":4,"markDownContent":5,"htmlContent":6,"metaTitle":7,"metaDescription":8,"wordCount":9,"readTime":10,"title":11,"nbDownloads":12,"excerpt":13,"lang":14,"url":15,"intro":16,"featured":4,"state":17,"author":18,"authorId":19,"datePublication":24,"dateCreation":25,"dateUpdate":26,"mainCategory":27,"categories":43,"metaDatas":49,"imageUrl":56,"imageThumbUrls":57,"id":65},false,"Les intérêts légitimes constituent une des [**six bases légales**](https://www.dastra.eu/fr/guide/bases-legales-rgpd/2495) du RGPD permettant de traiter des données à caractère personnel.\r\n\r\nLegitimate interests are one of the [**six legal bases**](https://www.dastra.eu/en/guide/legal-basis-for-processing/56301) of the GDPR for processing personal data.\r\n\r\n### Why is it essential to define legitimate interests? ⚠️\r\n\r\nThe GDPR requires data controllers to document their compliance. As such, it is compulsory to keep a [**record of data processing activities (ROPA)**](https://www.dastra.eu/en/product-features/data-processing) but also to **justify the decisions taken** on the subject of data protection.\r\n\r\nAccording to [**Article 6 of the GDPR**](https://eur-lex.europa.eu/eli/reg/2016/679/oj), for this legal basis to be valid, the **legitimate interests must not override the rights and freedoms** of the persons concerned by the processing.\r\n\r\n> **Reminder**: this legal basis is not possible for processing carried out by public authorities in the performance of their duties.\r\n\r\nWhen choosing this legal basis, it is important to **document your choice** if it is not obvious.\r\n\r\nThe legal basis of legitimate interests may be used without having to be justified in the following cases:\r\n\r\n- Guaranteeing the security of a computer network and information system\r\n- To prevent fraud\r\n- Canvassing existing customers for similar products and services\r\n- To carry out administrative management and share data within a group (customers and HR).\r\n\r\nIn these cases, **the interests are presumed to be legitimate**. However, if there is any doubt about legitimacy, a test such as the one described below must be carried out.\r\n\r\n### Legitimacy test ✔️\r\n\r\nTo identify whether the interests are legitimate, here is a **list of questions** to ensure that you have the answer.\r\n\r\n> These questions come from the [complete audit model](https://www.dastra.eu/en/audit/referential/3bb733dd-1767-4989-bcb9-08db7e0ec0c3) available in Dastra.> This model includes the legitimacy test, but also the **necessity test** and the **balancing test**!\r\n\r\n1.1. Why do you want to process the data?\r\n\r\n1.2 What benefit do you hope to derive from the processing?\r\n\r\n1.3. Do third parties benefit from the processing?\r\n\r\n1.4. Are there wider public benefits from the processing?\r\n\r\n1.5. How significant are these benefits?\r\n\r\n1.6. What would be the consequences of not carrying out the treatment?\r\n\r\n1.7 What is the expected outcome for individuals?\r\n\r\n1.8. Is the processing necessary to comply with another regulation?\r\n\r\n1.9. Please specify the regulations\r\n\r\n1.10. Does the processing make it possible to comply with industry directives or a code of conduct?\r\n\r\n1.11. Please specify the standards or codes of conduct\r\n\r\n1.12. Does the processing raise ethical issues?\r\n\r\n1.13. Does the processing serve one of the following purposes?*If the processing falls within one of these purposes, then the interests are presumed to be legitimate*.\r\n\r\n- To guarantee the security of a computer network and information system\r\n- To prevent fraud\r\n- canvassing existing customers for similar products and services\r\n- To carry out administrative management and share data within a group (customers and HR)\r\n\r\n1.14. If the processing does not meet the above objectives, the interests of the processing may be presumed to be legitimate if they meet the following three conditions ?\\*The three conditions must be met cumulatively.\r\n\r\n- The interest is manifestly lawful under the law\r\n- It is determined in a sufficiently clear and precise manner\r\n- It is real and present for the organisation concerned, and not fictitious.\r\n\r\n1.15. In the light of your answers to the previous questions, indicate precisely the purpose of the processing operation\r\n\r\n1.16. In the light of your answers to the previous questions, indicate precisely the legitimate interests involved","\u003Cp>Les intérêts légitimes constituent une des \u003Ca href=\"https://www.dastra.eu/fr/guide/bases-legales-rgpd/2495\">\u003Cstrong>six bases légales\u003C/strong>\u003C/a> du RGPD permettant de traiter des données à caractère personnel.\u003C/p>\r\n\u003Cp>Legitimate interests are one of the \u003Ca href=\"https://www.dastra.eu/en/guide/legal-basis-for-processing/56301\">\u003Cstrong>six legal bases\u003C/strong>\u003C/a> of the GDPR for processing personal data.\u003C/p>\r\n\u003Ch3 id=\"why-is-it-essential-to-define-legitimate-interests\">Why is it essential to define legitimate interests? ⚠️\u003C/h3>\r\n\u003Cp>The GDPR requires data controllers to document their compliance. As such, it is compulsory to keep a \u003Ca href=\"https://www.dastra.eu/en/product-features/data-processing\">\u003Cstrong>record of data processing activities (ROPA)\u003C/strong>\u003C/a> but also to \u003Cstrong>justify the decisions taken\u003C/strong> on the subject of data protection.\u003C/p>\r\n\u003Cp>According to \u003Ca href=\"https://eur-lex.europa.eu/eli/reg/2016/679/oj\" rel=\"nofollow\">\u003Cstrong>Article 6 of the GDPR\u003C/strong>\u003C/a>, for this legal basis to be valid, the \u003Cstrong>legitimate interests must not override the rights and freedoms\u003C/strong> of the persons concerned by the processing.\u003C/p>\r\n\u003Cblockquote>\r\n\u003Cp>\u003Cstrong>Reminder\u003C/strong>: this legal basis is not possible for processing carried out by public authorities in the performance of their duties.\u003C/p>\r\n\u003C/blockquote>\r\n\u003Cp>When choosing this legal basis, it is important to \u003Cstrong>document your choice\u003C/strong> if it is not obvious.\u003C/p>\r\n\u003Cp>The legal basis of legitimate interests may be used without having to be justified in the following cases:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>Guaranteeing the security of a computer network and information system\u003C/li>\r\n\u003Cli>To prevent fraud\u003C/li>\r\n\u003Cli>Canvassing existing customers for similar products and services\u003C/li>\r\n\u003Cli>To carry out administrative management and share data within a group (customers and HR).\u003C/li>\r\n\u003C/ul>\r\n\u003Cp>In these cases, \u003Cstrong>the interests are presumed to be legitimate\u003C/strong>. However, if there is any doubt about legitimacy, a test such as the one described below must be carried out.\u003C/p>\r\n\u003Ch3 id=\"legitimacy-test\">Legitimacy test ✔️\u003C/h3>\r\n\u003Cp>To identify whether the interests are legitimate, here is a \u003Cstrong>list of questions\u003C/strong> to ensure that you have the answer.\u003C/p>\r\n\u003Cblockquote>\r\n\u003Cp>These questions come from the \u003Ca href=\"https://www.dastra.eu/en/audit/referential/3bb733dd-1767-4989-bcb9-08db7e0ec0c3\">complete audit model\u003C/a> available in Dastra.\u003Cbr />\r\nThis model includes the legitimacy test, but also the \u003Cstrong>necessity test\u003C/strong> and the \u003Cstrong>balancing test\u003C/strong>!\u003C/p>\r\n\u003C/blockquote>\r\n\u003Cp>1.1. Why do you want to process the data?\u003C/p>\r\n\u003Cp>1.2 What benefit do you hope to derive from the processing?\u003C/p>\r\n\u003Cp>1.3. Do third parties benefit from the processing?\u003C/p>\r\n\u003Cp>1.4. Are there wider public benefits from the processing?\u003C/p>\r\n\u003Cp>1.5. How significant are these benefits?\u003C/p>\r\n\u003Cp>1.6. What would be the consequences of not carrying out the treatment?\u003C/p>\r\n\u003Cp>1.7 What is the expected outcome for individuals?\u003C/p>\r\n\u003Cp>1.8. Is the processing necessary to comply with another regulation?\u003C/p>\r\n\u003Cp>1.9. Please specify the regulations\u003C/p>\r\n\u003Cp>1.10. Does the processing make it possible to comply with industry directives or a code of conduct?\u003C/p>\r\n\u003Cp>1.11. Please specify the standards or codes of conduct\u003C/p>\r\n\u003Cp>1.12. Does the processing raise ethical issues?\u003C/p>\r\n\u003Cp>1.13. Does the processing serve one of the following purposes?\u003Cbr />\r\n\u003Cem>If the processing falls within one of these purposes, then the interests are presumed to be legitimate\u003C/em>.\u003C/p>\r\n\u003Cul>\r\n\u003Cli>To guarantee the security of a computer network and information system\u003C/li>\r\n\u003Cli>To prevent fraud\u003C/li>\r\n\u003Cli>canvassing existing customers for similar products and services\u003C/li>\r\n\u003Cli>To carry out administrative management and share data within a group (customers and HR)\u003C/li>\r\n\u003C/ul>\r\n\u003Cp>1.14. If the processing does not meet the above objectives, the interests of the processing may be presumed to be legitimate if they meet the following three conditions ?\u003Cbr />\r\n*The three conditions must be met cumulatively.\u003C/p>\r\n\u003Cul>\r\n\u003Cli>The interest is manifestly lawful under the law\u003C/li>\r\n\u003Cli>It is determined in a sufficiently clear and precise manner\u003C/li>\r\n\u003Cli>It is real and present for the organisation concerned, and not fictitious.\u003C/li>\r\n\u003C/ul>\r\n\u003Cp>1.15. In the light of your answers to the previous questions, indicate precisely the purpose of the processing operation\u003C/p>\r\n\u003Cp>1.16. In the light of your answers to the previous questions, indicate precisely the legitimate interests involved\u003C/p>\r\n","how to assess the legitimate interests in a processing operation?","Les intérêts légitimes constituent une des six bases légales du RGPD permettant de traiter des données à caractère personnel.",622,3,"GDPR: how to assess the legitimate interests in a processing operation? Our checklist🗒️ ",0,"How can we identify the reasonable expectations of the person concerned by the processing of personal data?","en","gdpr-how-to-assess-the-legitimate-interests-in-a-processing-operation-our-check","In this article, we propose a questionnaire for documenting the justification of the \"legitimate interests\" legal basis and assessing whether this legal basis can be retained for the processing of personal data.","Published",{"id":19,"displayName":20,"avatarUrl":21,"bio":22,"blogUrl":22,"color":22,"userId":19,"creationDate":23},38,"Paul-Emmanuel Bidault","https://static.dastra.eu/tenant-27/avatar/38/paul-emmanuel-bidault-150.jpg",null,"2019-12-03T19:09:28","2023-12-27T15:00:12.201","2023-12-27T16:00:10.8503996","2026-02-04T10:05:05.1079162",{"id":28,"name":29,"description":30,"url":31,"color":32,"parentId":22,"count":22,"imageUrl":22,"parent":22,"order":12,"translations":33},2,"Blog","A list of curated articles provided by the community","blog","#28449a",[34,37,40],{"lang":35,"name":29,"description":36},"fr","Une liste d'articles rédigés par la communauté",{"lang":38,"name":29,"description":39},"es","Una lista de artículos escritos por la comunidad",{"lang":41,"name":29,"description":42},"de","Eine Liste von Artikeln, die von der Community verfasst wurden",[44],{"id":28,"name":29,"description":30,"url":31,"color":32,"parentId":22,"count":22,"imageUrl":22,"parent":22,"order":12,"translations":45},[46,47,48],{"lang":35,"name":29,"description":36},{"lang":38,"name":29,"description":39},{"lang":41,"name":29,"description":42},[50,53],{"typeMetaDataId":28,"value":51,"id":52},"https://www.dastra.eu/en/audit/referential",111715,{"typeMetaDataId":10,"value":54,"id":55},"See all our questionnaire templates",111716,"https://static.dastra.eu/content/ac928a27-d61e-4b9f-8056-154c81c7d4da/audits-1000.png",[58,59,60,61,62,63,64],"https://static.dastra.eu/content/ac928a27-d61e-4b9f-8056-154c81c7d4da/audits-1000.webp","https://static.dastra.eu/content/ac928a27-d61e-4b9f-8056-154c81c7d4da/audits.webp","https://static.dastra.eu/content/ac928a27-d61e-4b9f-8056-154c81c7d4da/audits-1500.webp","https://static.dastra.eu/content/ac928a27-d61e-4b9f-8056-154c81c7d4da/audits-800.webp","https://static.dastra.eu/content/ac928a27-d61e-4b9f-8056-154c81c7d4da/audits-600.webp","https://static.dastra.eu/content/ac928a27-d61e-4b9f-8056-154c81c7d4da/audits-300.webp","https://static.dastra.eu/content/ac928a27-d61e-4b9f-8056-154c81c7d4da/audits-100.webp",56359]