Balance test - interactive form
Do you use video surveillance? Do you conduct marketing activities? Are you pursuing your claims? If so, you are probably processing personal data on the basis of the data controller’s legitimate interest (art. 6(1)(f) GDPR). Check whether it is outweighed by the rights and freedoms of the data subjects whose data you process!
Legitimate interest is the favourite legal basis for personal data processing for many organizations. The popular "efka" is valued for its flexibility and portability, while deceiving imprudent controllers with an apparent ease of application. However, it is not a master key that legalizes any processing operation, but rather a lock to which keys meeting certain criteria must fit:
- the existence of a legally justified interest for which the controller wishes to process the data;
- the need for processing to achieve the objectives set;
- the priority of the administrator's interests over the rights and freedoms of the data subject.
GDPR requires that before basing a given processing operation on legitimate interest (Art. 6(1)(f) GDPR), the controller must carefully assess whether the above conditions are met. A helpful tool is the so-called balance test, a proposal for which is presented below.
The balance test should be carried out with due care and objectivity. Determining some issues may be difficult, which is why we have prepared a short comment and a sample answer for each question.
You can broaden your knowledge by reading the article How to assess whether an administrator's legitimate business is admissible?, which also describes the criteria and assumptions adopted in our test.
If you need help with a balance test, don't hesitate. ask.
Run a balance test.
1Purpose test
What is the purpose of processing?
We need to start the balance test by identifying the purpose for which we want to process personal data – in the context of the explanations, we use the following example: protection of persons and property in the context of visual monitoring at production plant X.
What benefits does the Controller intend to achieve from the processing of personal data?
Next, we must define our interest – it may be an economic, factual, business or legal interest. The interest must be legitimate, meaning it must be lawful, i.e. based on national or EU law. Sample answer: "Protection of persons and property is a factual interest, but it may also have an economic, business and, in some situations, legal character. The controller/third party has the right to protect its premises, and its employees and guests have an interest in being safe. In this case, protection of the above interests is based primarily on Article 22² of the Labour Code, but also finds grounds in fundamental rights such as protection of life, property and conduct of business activity."
Is this interest real and current?
The transaction should not be hypothetical but should be based on a reliable analysis of the actual and legal situation.
Reality and timeliness are interconnected and derive from each other. The current business is one that actually exists at the time of processing.
The actual and present interest must arise from an activity carried out by the controller or be related to a planned activity or future benefit. As the CJEU notes, in assessing reality and actuality, administrators cannot necessarily always be required to take into account whether the source of the administrator's interest stems from past events. In the case of video surveillance, it cannot be required that breaches of property and persons have occurred in the past. However, if such violations have occurred - our interest is undoubtedly real and present.
Other examples that update our interest in the context of video surveillance could be:
- events occurring in neighbouring properties,
- crime statistics in the area,
- a significant sense of danger among the occupants of the building,
- the type of activity of the administrator (e.g. exchange office, bank).
Reality and timeliness are interconnected and derive from each other. The current business is one that actually exists at the time of processing.
The actual and present interest must arise from an activity carried out by the controller or be related to a planned activity or future benefit. As the CJEU notes, in assessing reality and actuality, administrators cannot necessarily always be required to take into account whether the source of the administrator's interest stems from past events. In the case of video surveillance, it cannot be required that breaches of property and persons have occurred in the past. However, if such violations have occurred - our interest is undoubtedly real and present.
Other examples that update our interest in the context of video surveillance could be:
- events occurring in neighbouring properties,
- crime statistics in the area,
- a significant sense of danger among the occupants of the building,
- the type of activity of the administrator (e.g. exchange office, bank).
Is there any other basis for processing on which processing can be based?
It may turn out that another legal basis will be adequate, e.g. where processing is a legal obligation of the Controller/third party. In the case of video monitoring, this may concern, for example, security at certain mass events or monitoring in sobriety rooms. For public bodies, monitoring is as a rule carried out on the basis of Article 6(1)(e) GDPR, i.e. performance of a task in the public interest. In such a case, the balance test does not need to be continued.
2Test of necessity
Is the processing necessary to pursue a legitimate interest?
The need for processing covers all legal grounds, in accordance with the principle of purpose limitation, data minimisation and storage limitation.
Is all the data necessary for the stated purpose?
The assessment should take into account the data minimisation principle. If we process too much data or too many categories of data in relation to the defined purpose, in particular special categories of data, we should immediately limit them to what is necessary – otherwise the test result should be negative. In the case of monitoring, we should analyse its scope, the number of cameras and their range. It may turn out that monitoring covers public spaces, private property, roads, pavements, toilets, smoking areas, changing rooms or social rooms. In such a case, data minimisation should be carried out by changing camera angles, applying recording masking or removing a camera.
Does the storage period go beyond what is necessary?
This question takes into account the storage limitation principle. If processing is already taking place, the controller should verify the retention periods adopted. The controller should ask: once data become redundant, are they deleted or anonymised? Is the retention period imposed by law? Retention of data from video monitoring will usually result from the capacity of the recorder. As a rule, recorders overwrite recordings after a reasonable, short period. In the case of employee monitoring, retention may not exceed three months.
Is it possible to achieve this objective without data processing or other means that interfere less with the privacy of the data subject?
This question develops the two previous ones. The controller/third party should consider whether they can use another tool, technology or procedure that does not require data processing or processes a smaller scope of data. In the case of monitoring, it is hard to imagine another technology that would achieve the same purposes, although the planned recorder and its configuration can be taken into account here. If the above points indicate that processing is necessary, we can proceed to the next step.
3Balance test
What kind of personal data will be processed in this process?
The type of data includes, for example, ordinary data, behavioural data, financial data, sensitive data and highly personal data. Ordinary data and data enabling significant insight into a person's financial situation will have a different impact on the balance of interests. In the case of sensitive data, remember that it is necessary to indicate a basis under Article 9(2) GDPR; otherwise processing of such data is prohibited. Video monitoring as a rule aims to process ordinary data and possibly data concerning behaviour (e.g. what and when a given person did).
What categories of persons will be processed in the proceedings, and are there children or other persons in need of special care?
The category of persons also affects the balance of interests. In the case of monitoring, categories of persons can be specified, e.g. employees, guests, couriers, etc. Particular attention is required for children and other persons requiring care, i.e. persons in relation to whom the controller has a dominant position (there is a clear imbalance of power), e.g. employees, elderly persons, persons with disabilities – especially intellectual disabilities, patients, refugees.
Where did the personal data come from?
To establish the context of processing, it is worth considering where we have the data from, which affects the relationship with the data subject and their reasonable expectations. Data may come from the data subject, from other persons such as family members, employees or contractors. Data may also come from publicly available sources or purchased databases. In the case of video monitoring, data come from data subjects present in the monitored area.
Does the data subject have reasonable expectations of processing?
This question seeks to determine whether the data subject has - objectively speaking - a reasonable expectation of data processing. Such expectations may arise from the type and nature of the relationship between the ADO and the data subject, e.g. by being a party to a contract with the controller/third party, its employee, debtor, website user, member of company bodies, recipient of marketing content, etc. Another source of reasonable expectations may be the type of location, the context of the situation. In the case of monitoring of a data subject, the assessment of reasonable expectations will come down to whether the data subject can objectively expect to be monitored at a particular location.
The European Data Protection Board (EROD) cites a bank or the vicinity of an ATM as examples of places where a person may have expectations of being subject to monitoring. As examples where such expectations will not arise, it points to: a private garden, residential areas, doctors' and treatment rooms, sanitary rooms, saunas. According to the EROD, in most cases, the employee does not expect to be monitored at the workplace².
In the case of video surveillance, employees and other persons under surveillance may have a reasonable expectation that when they enter the video surveillance area their images will be subject to recording, e.g. due to the nature of the workplace. In particular, when the requirements related to fairness and transparency as well as other legal requirements (legality aspect) have already been met. An employee who has been informed in the work regulations and in the information provided at the start of work will not be surprised by the fact of monitoring in the workplace.
² Wytyczne EROD 3/2019 on the processing of personal data by video equipment
The European Data Protection Board (EROD) cites a bank or the vicinity of an ATM as examples of places where a person may have expectations of being subject to monitoring. As examples where such expectations will not arise, it points to: a private garden, residential areas, doctors' and treatment rooms, sanitary rooms, saunas. According to the EROD, in most cases, the employee does not expect to be monitored at the workplace².
In the case of video surveillance, employees and other persons under surveillance may have a reasonable expectation that when they enter the video surveillance area their images will be subject to recording, e.g. due to the nature of the workplace. In particular, when the requirements related to fairness and transparency as well as other legal requirements (legality aspect) have already been met. An employee who has been informed in the work regulations and in the information provided at the start of work will not be surprised by the fact of monitoring in the workplace.
² Wytyczne EROD 3/2019 on the processing of personal data by video equipment
What is the nature of the processing of personal data?
The nature of processing may be a significant circumstance, including whether processing is automated, continuous, large-scale, whether data are made public or processing involves profiling, data mining, machine learning, etc. The nature of the Controller/third party is also important – whether they are an employer, an international corporation or a small sole trader. In the case of video monitoring, it is worth indicating: whether monitoring is continuous, whether monitoring takes place on a large scale, in particular of public places. In the case of employee monitoring, remember the asymmetrical relationship with the employee, where the employer has a dominant position.
Can processing have a positive effect on a person?
A positive impact clearly tips the balance of the test in favour of the Controller/third party. A positive impact may include receiving a reward or other benefits, proper provision of a service, more efficient organisation of work, ensuring the safety of the person or their property, which is also a benefit for persons covered by monitoring.
Can processing have a negative impact on a person? What are the risks to the person's interests or rights and freedoms?
This is where we identify a negative impact on a person, which in turn tilts the test in their favour. Not every negative impact carries the same weight. A life-threatening or discriminatory risk or financial loss will have a different negative impact, while a slight frustration or an honest article describing, for example, corruption will have a different impact (here the public interest is additionally affected).
In the first instance, we should indicate the negative effects on the person of a subjective nature. Subsequently, we can indicate the identified risks related to the process itself and the technical and organisational measures used.
In the case of correctly implemented visual monitoring, small risks such as frustration with the breach of privacy can be identified.
Examples of adverse effects can be found in recital 75 of the GDPR: discrimination, identity theft or identity fraud, financial loss, damage to reputation, breach of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation or any other significant economic or social harm.
In the first instance, we should indicate the negative effects on the person of a subjective nature. Subsequently, we can indicate the identified risks related to the process itself and the technical and organisational measures used.
In the case of correctly implemented visual monitoring, small risks such as frustration with the breach of privacy can be identified.
Examples of adverse effects can be found in recital 75 of the GDPR: discrimination, identity theft or identity fraud, financial loss, damage to reputation, breach of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation or any other significant economic or social harm.
Does the data subject have control over their data?
This question concerns solutions and tools enabling the data subject to control their data, e.g. privacy settings panels or tools facilitating the exercise of rights. These are not mandatory solutions, but they help mitigate the negative impact associated with processing (so-called compensatory measures). In the case of video monitoring, such a measure may include a tool for remote access to recordings concerning a given person, contact forms on the website or tools for anonymising recordings.
Is the data subject clearly informed of the legitimate interest of the Controller?
Transparency is an important prerequisite for proper data processing, while at the same time preventing situations in which the data subject may be surprised that their data are being processed. At the same time, it should be borne in mind that information plaques do not affect the objective assessment of a person's reasonable expectations.
At the same time, transparency can be a great means of balancing the balance of interests. The controller can take additional steps to increase the transparency of the processing by providing in the information clauses, for example, information about the balance test carried out and its result. In our example, the answer could be: "The controller has placed plaques indicating the identity of the controller, the purposes of the processing, the rights of the data subjects together with a pictogram. The plaque contains a QR code directing to the full information clause, which informs about the balance test carried out and its summary results."
At the same time, transparency can be a great means of balancing the balance of interests. The controller can take additional steps to increase the transparency of the processing by providing in the information clauses, for example, information about the balance test carried out and its result. In our example, the answer could be: "The controller has placed plaques indicating the identity of the controller, the purposes of the processing, the rights of the data subjects together with a pictogram. The plaque contains a QR code directing to the full information clause, which informs about the balance test carried out and its summary results."
4Risk analysis
LEGEND
Based on the following legend, estimate the likelihood of a breach:
(1) low probability the materialization of a potential violation of the rights and freedoms of data subjects does not appear to be possible for the sources of risk selected;
(2) average probability the materialization of a potential infringement of the rights and freedoms of data subjects appears difficult for the sources of risk chosen;
(3) high probability the materialization of a potential infringement of the rights and freedoms of data subjects appears to be possible for the sources of risk selected;
(4) very high probability the materialization of potential infringements of the rights and freedoms of data subjects seems extremely easy for the sources of risk selected.
Based on the following legend, estimate the impact of the violation on the rights and freedoms of data subjects:
(1) low impact data subjects will not be affected by the effects of the infringement or will encounter minor inconveniences that they overcome without the slightest problems (time required to re-enter data, impatience, irritation, etc.);
(2) average effects data subjects may experience significant discomfort which they will be able to overcome despite certain difficulties (additional costs, fear, misunderstanding, stress, minor physical injury, etc.);
(3) high impact – data subjects may encounter significant inconvenience that they should be able to overcome, but with serious difficulty (financial fraud, being listed as unsupported customers at banks, property damage, loss of employment, lawsuits, deteriorated health, etc.);
(4) very high impacts data subjects may face significant or even irreversible consequences which they may not overcome (financial difficulties resulting, for example, from unpaid debt or incapacity to work, long-term psychological or physical injury, death, etc.).
Breach
Probability
Impact
Risk
5Test result
Do the interests of the controller or third party outweigh the rights and freedoms of data subjects?
Taking into account your findings, assess whether the purpose the controller wishes to pursue takes precedence over the rights and freedoms of data subjects.
Data controller decision
Indicate and justify the decision taken by the controller. This also applies where the controller decided to carry out processing despite a negative test result.
Disclaimer
To obtain a reliable result of the legitimate interest assessment (LIA), all fields of the form must be completed. Each process and its constituent elements must be assessed individually, in particular the purposes of processing planned by the data controller and their impact on the rights and freedoms of the data subjects. For this reason, this form can serve at most as an auxiliary tool and cannot be the sole basis for decisions by any entity or person who uses the form at their own risk. ODO 24 sp. z o.o. is not liable to any entity or person for any indirect or direct consequences of using the form, in particular in the form of damages, liability to pay compensation or redress, imposed administrative fines, loss of profits or other adverse consequences.
Balancing test form
What is the balancing test in the context of the GDPR?
The balancing test in the context of the GDPR is a process aimed at assessing whether the "legitimate interest" of the data controller (the controller) outweighs the rights and freedoms of the data subject. It is necessary when the data controller wishes to process personal data on the basis of their legitimate interest, in accordance with Article 6(1)(f) of the GDPR.
When and why should I carry out a balancing test under the GDPR?
The balancing test is used when data processing is based on a legitimate interest as the legal basis. The balancing test is carried out for the purpose of weighing the rights and interests of the data subject against the interests of the organisation processing the data.
How should the balancing test be conducted in practice?
The balancing test consists of three main steps:
- • • Assessment of the existence of a legitimate interest (purpose test) - involves identifying the purpose of the data processing and assessing whether it is a legitimate interest. The legitimate interest must arise from a lawful interest of the data controller, i.e. from an actual, legal or economic interest.
- • • Assessment of the necessity of data processing (necessity test) - involves assessing whether the processing of data is necessary to achieve the purposes arising from the legitimate interest.
- • • Assessment of whether the interests or fundamental rights and freedoms of the data subject do not override the interest of the data controller (balancing test) - involves weighing the interests of both parties and determining whether the data controller’s legitimate interest outweighs the interests and rights of the data subject.
How can I weigh my company’s interests against the rights of the individual when conducting the balancing test?
Weighing the interests of the company and the individual involves checking whether data processing is disproportionate in relation to the individual’s rights. Factors to be taken into account when weighing interests include:
- • • type of processed data – whether it is ordinary data or special categories of data,
- • • the scale and nature of data processing – meaning both the volume of data processed and additional operations such as data matching, automated processing,
- • • the nature of the individual’s interests – in particular in relation to the person’s fundamental rights and freedoms,
- • • the reasonable expectations of the individual – Recital 47 of the GDPR refers to the reasonable expectations of the individual, based on their relationship with the controller,
- • • the relationship between the controller and the individual – in particular factors that may give one party a privileged position, e.g. in the role of employer.
Do I have to document the results of the balancing test?
Yes, documenting the results of the balancing test is important for several reasons:
- • • Evidence of compliance with the GDPR: Documenting the results of the balancing test allows you to demonstrate that your organisation complies with the provisions of the GDPR. This may be particularly important if your organisation is asked to demonstrate compliance with the GDPR by the supervisory authority.
- • • Internal data management: Documentation can help your organisation manage personal data, enabling tracking of why and how data are processed. It can also assist in making decisions about future data processing.
- • • Protection of the rights of data subjects: If a data subject contests the processing of their personal data, the documentation can help explain why the data are being processed.
What consequences may result from improperly conducting the balancing test?
Improper conduct of a balancing test may result in the processing of data without an appropriate legal basis, which would constitute a breach of the GDPR.
Further consequences arising from a breach of the GDPR may include, among others: violation of the rights of the data subjects; financial penalties, damage to the company's reputation, and the costs of legal services associated with administrative and judicial proceedings.
How does a balancing test affect decisions on the processing of personal data?
The balancing test plays a key role in decisions concerning the processing of personal data, because it helps organisations understand whether their data processing complies with the GDPR.
During the course of the balancing test the legitimate interest is identified and an assessment is made of whether the processing is necessary to achieve that interest. The balancing test also requires an evaluation of whether the legitimate interest outweighs the rights and freedoms of the data subjects.
Consequently, the balancing test can influence decisions about data processing, as well as decisions on which safeguards are applied to protect the data and ensure compliance with the GDPR. If the test indicates that the processing is not compliant with the GDPR, the organisation may be forced to cease that processing or to rely on a different legal basis for it.
Do I have to consult the data protection authority when conducting a balancing test?
As a rule, conducting the balancing test is the responsibility of the data-processing organisation and does not require direct consultation with the supervisory authority.
