A recent EU survey produced examples of ‘legitimate interest’ grounds that are used for processing of personal data. The following is purely for information purposes and is meant to assist you in possibly providing the appropriate level of granularity in your description of the legitimate interest (as opposed to just using a category description). No rationale for their use is provided here. In some cases, organisations used ‘legitimate interest’ as the appropriate lawful basis while other used it as their only lawful basis for processing.
Fraud detection and prevention (crime prevention)
Fraud and financial crime detection and prevention;
Anti-money laundry (AML) watch-lists;
Credit checks and risk assessments;
Politically Exposed Persons (PEP);
Terrorist financing detection and prevention;
Anti-fraud purposes - using information gathered from various sources, such as public directories and publicly available online personal or professional profiles, to check identities when purchases are deemed as potentially fraudulent;
Defending claims, e.g. sharing CCTV images for insurance purposes.
Compliance with foreign law, law enforcement, court and regulatory bodies’ requirements
Operation of Business Conduct and Ethics Line and Reporting under the Sarbanes-Oxley Act (SOX);
Economic sanctions and export control list screening under economic sanctions and export control laws;
Data loss prevention software and tools for compliance with data protection laws and client contractual requirements;
Compliance with requests for disclosures to law enforcement, courts and regulatory bodies, both EU and foreign.
Industry watch-lists and industry self-regulatory schemes
Industry watch-lists – non-payment, barred customers, etc.;
Relations with insurers – information to process insurance claims;
To comply with industry practices (issued by the Financial Action Task Force (FATF), Wolfsberg AML Principles, etc.).
Information, system, network and cyber security
Overall information security operations of an organisation to prevent unauthorised access, intrusion, misuse of company systems, networks, computers and information, including prevention of personal data breaches and cyber attacks;
Piracy and malware prevention;
IP rights protection and IP theft prevention;
Monitoring access to systems and any downloads;
Use of information gathered form physical access control systems for investigating incidents;
Detection and investigation of security incidents – processing of personal data of individuals involved in an incident, as well as the underlying compromised data;
Investigation and reporting of data breaches;
Product and product user security.
Employment data processing
Background checks and security vetting in recruitment and HR functions;
Office access and operations;
Disaster and emergency management tools and apps;
Internal directories, employee share-point sites, internal websites and other business cooperation and sharing tools;
Business conduct and ethics reporting lines;
Compliance with internal policies, accountability and governance requirements and corporate investigations;
Call recording and monitoring for call-centre employees’ training and development purposes;
Employee retention programs;
Workforce and headcount management, forecasts and planning;
Professional learning and development administration;
Time recording and reporting;
Processing of family members’ data in the context of HR records – next of kin, emergency contact, benefits and insurance, etc.;
Additional and specific background checks required by particular clients in respect of processors’ employees having access to clients’ systems and premises;
Defending claims - sharing CCTV images from premises with insurers when required for processing, investigating or defending claims due to incidents that have occurred on our premises;
Intra-corporations hiring for internal operations.
General Corporate Operations and Due Diligence
Modelling – develop or operate financial/credit/conduct and risk models;
Internal analysis of customers – plan strategy and growth;
Reporting and management information – support business reporting;
Sharing information with other members of the corporate group;
Monitoring physical access to offices, visitors and CCTV operations in reception and any other restricted areas;
Processing of personal data of individuals at target company or related to the transaction in M&A transactions;
Producing aggregate analytics reported to third party content owners, especially when it is to fulfil licensing obligations
Managing third party relationships (vendors, suppliers, media, business partners);
Processing identifiable data for the sole purpose of anonymising/de-identifying/re-identifying it for the purposes of using the anonymised data for other purposes (product improvement, analytics, etc.).
Product development and enhancement
Processing of personal data for research, product development and improvements – such as integrity and fairness of a process/service; or data collected by voice recognition tools, or translation tools, which all depend on ability to collect a lot of data of direct customer and other individuals to be able to create and improve the actual service;
Processing of most device data (including the hardware model, operating system version, advertising identifier, unique application identifiers, unique device identifiers, browser type, language, wireless network, and mobile network information) to improve performance of the app, troubleshoot bugs, and for other internal product needs
Information from GPS on smartphones where the chip in the phone needs to provide location data in order to pick up satellite information;
Collection of IP addresses and similar by telecommunication companies that may need to use several unique identifiers to enable them to provide connectivity as well as charge the appropriate person;
Log files/actions within apps for product use analysis, product performance enhancement and product development;
Monitor use and conduct analytics on a website or app use, pages and links clicked, patterns of navigation, time at a page, devices used, where users are coming from etc.;
Monitor queues at call centres.
Communications, marketing and intelligence
Discretionary service interactions - customers are identified in order for them to receive communications relating to how they use and operate the data controllers’ product;
Personalised service and communications;
Direct marketing – of the same, or similar, or related products and services; including also sharing and marketing within a unified corporate group and brand;
Analytics and profiling for business intelligence – to create aggregate trend reports; find out how customers arrive at a website; how they use apps; the responses to a marketing campaign; what are the most effective marketing channels and messages; etc.;
Ad performance and conversion tracking after a click;
Audience measurement – measuring audio-visual audiences for specific markets;
Mapping of publicly available information of professional nature to develop database of qualified professionals/experts in relevant field for the purpose of joining advisory boards, speaking engagement and otherwise engaging with the company;
B2B marketing, event planning and interaction;
Managing suppression lists.
If you would like to know how our service might enable your organisation's GDPR compliance journey, please visit us here
The content herein is provided for your convenience and does not constitute legal advice.
Compliance Technology Solutions B.V. 2018