IAB Europe works to produce relevant guidance on the implementation of EU privacy and data protection rules applicable in the digital advertising sector. In March 2021, our Legal Committee developed this practical GDPR Guide on legitimate interests assessments (LIAs) in collaboration with IAB UK. This latest Guide complements our GDPR Guidance on Data Protection Impact Assessments (DPIAs).
Claiming pursuit of a legitimate interest is one of the six lawful bases for processing personal data in the EU’s General Data Protection Regulation (GDPR). Together with consent, it is one of the two legal bases that are generally deemed appropriate in the context of processing personal data for digital advertising-related purposes.
Legitimate interests are included in the legal bases that IAB Europe’s Transparency and Consent Framework aims to help participating organisations leverage. It does so by helping them ensure that the users whose data they wish to process are provided with adequate transparency (such as the identity of parties claiming the legitimate interest) and possibility to exercise their data privacy rights (such as opting out of legitimate interests-based processing).
Before claiming a legitimate interest to process personal data, it is essential that organisations carry out a balancing test, weighing their interests against the interests, fundamental rights and freedoms of the individual. As part of this assessment, organisations have to consider whether individuals would reasonably expect their personal data to be processed based on the relationship they have with the organisation but also how their data is processed. Overall, key to using legitimate interests as a legal basis is that the interests, fundamental rights and freedoms of the individual accounted for and not unfairly overridden.
Organisations should also be aware of regulators’ views on the use of legitimate interests in the specific jurisdictions where they operate. Importantly, in the EU, legitimate interests cannot be used as a basis for setting cookies or any access and storage operation on a user’s device. Thus, where processing of personal data is dependent on non-essential cookies or other forms of storage operations, which require consent, that consent is a prerequisite to the subsequent processing.
The Guide on legitimate interests assessments (LIAs) under the GDPR is intended for companies engaged in digital advertising in the EU. It aims to provide a standardised approach to conducting an LIA that takes into account the particularities of processing and the associated risks in the industry. In particular, the Guide covers the following:
It’s important to keep in mind that while there is value to standardising this approach for the sector and this Guide can be a useful starting point, it remains critical to analyse each particular circumstance objectively and in an organisation’s own terms, on a case-by-case basis.
Visit IAB Europe’s Knowledge Hub here to access the guide.
If you have any questions about this work, please contact Filip Sedefov at firstname.lastname@example.org