How to conduct a legitimate interest assessment (LIA)


Published by a UUÂãÁÄÖ±²¥ Risk & Compliance expert
Practice notes

How to conduct a legitimate interest assessment (LIA)


Published by a UUÂãÁÄÖ±²¥ Risk & Compliance expert

Practice notes
imgtext

The UK General data protection Regulation (UK GDPR) permits processing of personal data where that processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

There is clearly a balancing exercise to be done: your legitimate interests versus the fundamental rights and freedoms of the data subject—see Precedent: Legitimate interest assessment—data processing.

The outcome of the assessment largely determines whether legitimate interests may be relied on as a lawful ground for processing personal data. For more guidance on legitimate interest as a lawful ground for processing, see Practice Note: Processing personal data—legitimate interests.

This Practice Note provides guidance on how to conduct a legitimate interest assessment under the UK GDPR. It is based on the UK GDPR, together with:

  1. •

    detailed guidance from the Information Commissioner’s Office (ICO) on legitimate interests

Powered by Lexis+®
Jurisdiction(s):
United Kingdom
Key definition:
Data protection definition
What does Data protection mean?

In an employment context, this refers to the obligation on an employer to protect the data of its employees and ensure that it complies with the law on how it uses the employees' data.

Read more

Popular documents

UK GDPR—the basics

UK GDPR—the basicsThis Practice Note explains, in simple terms, the key features of the UK General Data Protection Regulation (UK GDPR). See also Precedent: Data protection quick reference guide.This Practice Note is intended for non-privacy specialists and there are separate, more detailed,

If a multinational company with entities in a number of EU states has registered a data protection

If a multinational company with entities in a number of EU states has registered a data protection officer (DPO) with the Information Commissioner’s Office (ICO), does it need to register a DPO in the other EU states where it has entities or is registration in one country sufficient?Under Article 37

Data subject access request form

Data subject access request formPlease complete this form if you wish to request access to your personal data. You do not have to use this form, but it will help us to deal with your request as quickly and effectively as possible if you do.You can also use this form if you are requesting access to

Refusing a data subject request—what is ‘manifestly unfounded or excessive’?

Refusing a data subject request—what is ‘manifestly unfounded or excessive’?The General Data Protection Regulation (GDPR) provides for enhanced rights for data subjects, including providing rights of access, rectification, erasure and restriction of processing, data portability, a right to object to