Legitimate interest assessment
If you plan to use legitimate interest as a legal basis in your research project, the GDPR requires that you assess the balance between your interests and those of your data subjects (art. 6). In such an assessment, you consider:
- the purpose of your research: what is your interest? The interest (purpose) must be real, concrete and direct. In research, enabling you to perform your research is usually a legitimate purpose.
- whether your processing is:
- necessary: can you reasonably achieve your goal in a more privacy-friendly way?, and
- proportionate: how many people will be affected, to what extent and how intrusive is your processing?
- your interests vs. those of data subjects (balancing test), e.g., can data subjects expect you to process their data this way, what is the impact of your processing on data subjects, your project, and society, and which safeguards can you put in place to protect data subjects’ interests?
How to do a legitimate interest assessment?
Assessing the legitimacy of your processing is part of the privacy scan or, if applicable, a DPIA. If you do not use a privacy scan or DPIA and/or you have not performed this assessment (yet), but you do rely on legitimate interest, please contact your privacy officer as soon as possible to perform a privacy scan anyways.
Please note: once your interest is assessed as being “legitimate”, this is not a free pass to do whatever you want with the data: you still need to incorporate Privacy by design into your project, for example by adequately informing data subjects, protecting the personal data, and allowing data subjects to exercise their rights.