Det lovlige grunnlaget - Ansatt

The lawful basis of “legitimate interest” – assessment

The lawful basis of “legitimate interest” – assessment

When using “legitimate interest” as the lawful basis under the General Data Protection Regulation (Article 6 no. 1 (f) of the GDPR), a documented assessment or balancing test must be conducted. OsloMet’s interests in relation to the processing must be weighed against the impact processing has for the data subject, i.e. the employee, student, research subject or similar.
  • Assessment form

    See form for assessing “legitimate interest" (in Norwegian). This form should be stored in P360, together with a documented risk assessment and other documents associated with the processing/work process.

  • When is it appropriate to use “legitimate interest” as the lawful basis?

    Legitimate interest is highly practical in connection with marketing, HR administration, registration for courses and events, employee surveys, employee appraisals, skills mapping, safety management, inspections (initiatives other than those that follow from Chapter 9 of the Norwegian Working Environment Act, but please see the restrictions set out in Section 9-1), issuing surveys/evaluations, use of portrait photos, use of different systems for communication and collaboration, such as Office 365, Zoom, Teams, etc.

  • What do you need to keep in mind?

    • The data subject must feel confident that the data will be processed for the purpose in question.
    • A balancing test must be carried out in which the interests of OsloMet/third parties are weighed against the impact processing will have on the part of the employee, student, informant, visitor or similar, such as when it comes to life and health, privacy, social, financial or legal matters.
    • Remember to document the assessments and balancing tests that have been conducted! Archive in P360.

    Note: not applicable in connection with the exercising of public authority (in which case item e) shall apply) or when using “special categories”.

  • The balancing of interests – structure

    Balancing of interests, no. 1: The interests of the organisation or the public

    • What benefits will the organisation achieve from the processing of personal data, e.g. issuing information/surveys to alumni?
    • What benefits will the population/general public achieve? – What is the value of the processing? Could the processing have any negative impact on the population/general public?

    If former students respond to surveys/evaluations, this could lead to improved study programmes and former students may provide useful information for new students relating to experiences of e.g. stays abroad.

    However, some alumni may consider this to constitute spam/too much email or they may feel they have finished with OsloMet or have had negative experiences.

    Balancing of interests, no. 2: Privacy considerations

    • Scope of processing – How many individuals are affected?
    • Will the disadvantages persist over time?
    • What do the affected individuals/data subjects think?
    • Impact on affected individuals/data subjects?
    • Nature of the data
    • Sensitive data, personal characteristics… ease of access to the data?
    • The risk of personal data going astray

    Balancing of interests, no. 3: Measures to minimise privacy disadvantages

    • Is it possible to opt out?
    • Has the organisation introduced other measures to minimise privacy disadvantages?

    If alumni respond to the request and consent to collection – OK. If they do not respond or respond to say that they do not wish to receive any further requests, they should be given the opportunity to opt out of future contact.

    Balancing of interests, no. 4: The balancing test

    The interests of the population/third parties in information and surveys issued to e.g. alumni, must be weighed against the former students’ need for protection.

    Is the intrusion into privacy proportionate in the example of alumni?

    There is some processing of a small amount of general personal data (contact details) and the issuing of information must therefore be considered to be minimally intrusive. Contact details constitute data that criminal and financial parties have little interest in or will not make much effort to obtain. Most former students will also expect such contact.

    A possible consideration here would be that the population/third parties’ interest in the issued information will be weighted more heavily than former students’ need for protection. Other students will benefit from the evaluations and experiences of alumni in connection with their studies and stays abroad. This must be weighed against the fact that some will consider the information to be spam.

  • Resources