Legitimate Interest Assessment
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/
What is the ‘legitimate interests’ basis?
Article 6(1)(f) gives you a lawful basis for processing where:
“processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
We don’t expect to process data relating to children, though we are not a data controller so don’t know the source of email data.
Test
1. Purpose test: are you pursuing a legitimate interest?
Yes, we are pursuing the legitimate interest of processing the original senders email, to create/update issues in Jira as the Data Controller expects as well as (optionally) maintaining audit history to facilitate the Data Controller in solving processing problems.
2. Necessity test: is the processing necessary for that purpose?
Yes, we are processing the email to get the data from the original sender email into a place that the Data Controller manages.
3. Balancing test: do the individual’s interests override the legitimate interest?
No, the individual sent the content in the first place to mailbox of the Data Controller with the expectation of that data being used for that purpose. The auditing aspect of JEMHC offers a valuable tool to prevent short term data loss where problems in processing arise.
Checklist
We have checked that legitimate interests is the most appropriate basis. | |
We have conducted a legitimate interests assessment (LIA) and kept a record of it, to ensure that we can justify our decision. | |
We have identified the relevant legitimate interests. | |
We have checked that the processing is necessary and there is no less intrusive way to achieve the same result. | |
We have done a balancing test, and are confident that the individual’s interests do not override those legitimate interests. | |
We only use individuals’ data in ways they would reasonably expect, unless we have a very good reason. | |
If we process children’s data, we take extra care to make sure we protect their interests. | |
We have considered safeguards to reduce the impact where possible. | |
We have considered whether we can offer an opt out. | |
If our LIA identifies a significant privacy impact, we have considered whether we also need to conduct a DPIA. | |
We keep our LIA under review, and repeat it if circumstances change. | |
We include information about our legitimate interests in our privacy information. |
We have done a balancing test, and are confident that the individual’s interests do not override those legitimate interests.
By sending an email to the mailbox of the Data Controller the sender has the expectation that the email will be processed by the Data Controller. The Data Controller engages us through JEMHC as sub-processor to process that email on their behalf for the same goal.
If we process children’s data, we take extra care to make sure we protect their interests.
We do not expect children's data to be present, its also not something we can verify.
We have considered safeguards to reduce the impact where possible.
The Data Controller customer using JEMHC can opt out of JEMHC auditing, preventing storage of email data.
If our LIA identifies a significant privacy impact, we have considered whether we also need to conduct a DPIA.
We do not identify a significant privacy impact, our processing is expected, the retention is limited for the benefit and use of the Data Controller only.