Legitimate Interest Assessment - May 2018 





What is the purpose of the processing operation?

We process a data subject’s personal data (name, position, phone number/mobile, email address) for decision makers within an organisation. This allows us to approach them via telephone and email to introduce our business service.


Is the processing necessary to meet one of more specific organisational objectives?

Yes – we need to speak directly to the decision maker, so aim to contact them via their DDI, mobile or email address so we can arrange meetings for the provision of our business service.


Is the processing necessary to meet one or more specific objective of any Third Party

We do not process any personal data to meet the requirements of any third parties – the personal data we hold is specifically for our organisational objectives.


Does the GDPR, ePrivacy Regulation or other national legislation specifically identify the processing activity as being a legitimate activity, subject to the completion of a balancing test and positive outcome?

Yes – holding a data subject’s name, position, phone number/mobile and email address is within the GDPR laws for B2B processing. The needs of our organisation does not jeopardise the data subject’s rights.

The necessity test





Why is the processing activity important to the Controller?

Our business provides a telephone-based service called audio branding. The only way for PHMG to provide the service initially is by telephone, as we contact the decision maker via their DDI or mobile to book an appointment. Without the ability to process this data and call the data subject, PHMG would not be able to meet its organisational objectives.


Why is the processing activity important to other parties the data may be disclosed to, if applicable?

The data we process is for PHMG’s purpose only and is not important to other parties.


Is there another way of achieving the objective?

No – we provide a phone-based product and service, so it is entirely necessary for us to contact decision makers within businesses in this manner to reach our objectives.

The balancing test





Would the individual expect the processing activity to take place?

Yes – a decision maker within an organisation has a proven desire to improve standards of professionalism in their own business, and their caller’s customer satisfaction while on the telephone. For both PHMG and the business to achieve this, PHMG must understand who the decision maker is and how to contact them via telephone or email.


Does the processing add value to a product or service that the individual uses?

Yes – processing the name, position, email and phone/mobile number allows us to personalise our approach. This ensures that we are consulting in the appropriate manner at the initial stages to be able to deliver a service that works specifically for them and their organisation. All calls are recorded for training purposes and to allow us to provide a product at point-of-sale, beneficial to the customer.


Is the processing likely to negatively impact the individual’s rights?

No – we will oblige to any individual requests to provide clarity on what information we hold on them, and their right to be removed and never contacted again. We simply ask to speak to the decision maker when making calls, and no further processing of personal data is undertaken.


Is the processing likely to result in

unwarranted harm or distress to the


No – we follow a strict process when making calls to data subjects, ensuring that we ask for the decision maker by name, or by contacting them directly with their DDI/mobile. We will also email them personally when they’re in the buying cycle or we’re following-up.


Would there be a prejudice to Data

Controller if processing does not happen?

The data controller would not be able to meet their organisational objectives if personal data is not processed for the means of phone calls and emails.


Would there be a prejudice to the Third Party if processing does not happen?



Is the processing in the interests of the individual whose personal data it relates to?

Yes – PHMG provide a personalised service from the first touchpoint with a customer. Without the processing of a decision maker’s name, phone number and email address, PHMG cannot meet the organisational objectives and speak to the right person about the service we provide. Without speaking to the decision maker we cannot provider our business service.


Are the legitimate interests of the individual aligned with the party looking to rely on their legitimate interests for the processing?



What is the connection between the individual and the organisation?

Prospect (never purchased goods or services)


What is the nature of the data to be processed? Does data of this nature

have any special protections under


There are no special protections required under the GDPR for the processing of the data subjects’ personal information.


Is there a two-way relationship in place between the organisation and the individual whose personal information is going to be processed? If so how close is that relationship?

• Ongoing

• Periodic

• One-off


No relationship, or relationship has effectively ceased


There is a two-way relationship between PHMG and the data subject. At this stage, we’re contacting the decision maker by telephone or email to understand their requirements, provide consultancy and ultimately allow PHMG to create a product and service that is specific to their needs. The relationship can be ongoing (during the buying cycle), periodic (not yet ready to buy but has a need for the service), one-off (has been contacted and either expressed no interest in the service and not to be contacted again, in which case PHMG will suppress the data), has a meeting and takes on the service, or no relationship is in place. We have a legitimate interest to contact a decision maker based upon their own organisational requirements – e.g. they have a phone system, employ staff and place callers on hold – yet we have made no contact with them previously.


Would the processing limit or undermine the rights of individuals?



Has the personal information been obtained directly from the individual, or obtained indirectly?

A mix of both direct and indirect.


Is there any imbalance in who holds the power between the organisation and the individual?



Is it likely that the individual may expect their information to be used for this purpose?

Yes. We provide a business service to improve a decision makers’ company, therefore the data subject would expect to be contacted for this nature.


Could the processing be considered intrusive or inappropriate? In particular, could it be perceived as such by the individual or in the context of the relationship?

No. We aim to speak to the decision maker within the organisation to ensure that we’re providing a service suitable for their requirements.


Is a fair processing notice provided to the individual, if so, how? Are they sufficiently clear and up front regarding the purposes of the processing?

Upon our monthly e-shot to our prospect data base, we inform the subject that we have captured their personal data, give details on where we captured it from and our intent to use it to market our audio branding services to them. This will be in the form of the e-shot and also by telephone.


Can the individual, whose data is being processed, control the processing activity or object to it easily?

• Yes (cover how you do this in the next section on “Mitigation and Compensating Controls”)

Explain: The data subject can object to any method of communication from PHMG. If they can ask for clarity on any personal data we hold on the subject via the telephone PHMG will oblige. Our process is to submit this request to the DPO and a formal review will take place. This will provide clarity on all aspects of personal data we hold on the subject and the right for suppression, and we’ll store the minimum requirement of data to allow for identification so no further communication with the subject will occur. By email, there is a very easy opt-out process whereby the user can request to be opted-out of any form of email marketing from PHMG. We will opt-out the subject and provide a formal notification for any method of communication.


Can the scope of the processing be modified to reduce/mitigate any underlying privacy risks or harms?

• Yes (we already have mitigation and compensating controls in place, as outlined in the next section)

Safeguards and compensating controls

Safeguards include a range of compensating controls or measures which may be put in place to protect the individual, or to reduce any risks or potentially negative impacts of processing. These are likely to have been identified via a Privacy Impact Assessment conducted in relation to the proposed activity. For example: data minimisation, de-identification, technical and organisational measures, privacy by design, adding extra transparency, additional layers of encryption, multi-factor authentication, retention, restricted access, opt-out options, hashing, salting, and other technical security methods used to protect data.

Please include a description of any compensating controls that will be put in place or are already in place to preserve the rights of the individual:

We use Sophos Security products to protect from intrusions and malicious attacks on all desktops and servers, and have Fortinet Firewalls on the edge of our network. All data is backed up and stored within the UK. We have the ability to move data to an encrypted location if necessary, which would require software with the ability to read the information in order to decode. We also have the ability to encrypt the disks the data is stored on.

We have trained all front-line staff on the formal process they should take if any individual objects to the use of their personal data. We will comply with all requests and submit formal documentation outlining all personal data on the subject. We will also suppress any data subjects’ information upon request. All requests or objections can be sent through to gdpr@phmg.com.

We have opt-out options on all our e-shots (sent through our data processor Pure360).


Reaching a decision and documenting the outcome

Using the responses above now document if you believe you are able to rely on Legitimate Interests for the processing operation. Please explain, perhaps using bullet points, why you are, or are not, able to rely on this legal basis. You should draw on the answers you have provided in this LIA.

Outcome of Assessment: Legitimate Interest Assessment Passed, taking into account the nature of our operations and the product we provide, the marketing methods we use are balanced to the impact on the individual.

Signed by: Thomas Croft

Role: Data Protection Lead

Date: May 2018

Review date: Annually