Legitimate Interest Balancing Test

This document describes the execution of the balancing test related to SunUra’s coaching and business services, including the stages of decision-making. The test will be repeated and this description updated accordingly if the purpose, nature, or context of the processing changes.

Participants: Ville-Matti Vilkka, Sari Kuosmanen
Date and time of the test: August 24, 2022, from 2:00 PM to 4:00 PM

Legal Basis for Processing

The processing of personal data must have a lawful basis. In the case of SunUra’s coaching and business services, the most applicable legal basis for processing the personal data of external individuals is legitimate interest, as long as it can be reasonably balanced with the rights and freedoms of the data subjects. This balancing test evaluates the potential risks to data subjects. If the legitimate interest cannot be balanced appropriately, another legal basis defined in the GDPR must be used.

1. Is Legitimate Interest the Most Suitable Legal Basis?

Alternative Legal Grounds:

Public interest:
Public interest as a legal basis must be grounded in law and typically relates to scientific, historical, or statistical purposes. It does not apply in this context.

Consent:
Consent must be freely given, specific, informed, and unambiguous. The data subject cannot consent to open-ended use of their data. The controller must also be able to demonstrate that consent was given—preferably in writing. → Answer: There is a power imbalance between SunUra and the coaching client, as clients are referred by TE Services or the municipal employment trial. Therefore, consent cannot be considered freely given and is not a valid legal basis. The coaching services are commissioned by an authority, meaning SunUra exercises a form of public authority, which makes consent unsuitable.

Contract performance:
There is no contract between the data subject and SunUra which necessitates personal data processing. In principle, services could be delivered anonymously from the client’s perspective.

Legal obligation / Vital interests / Public authority:
The processing is not required by law, does not protect vital interests, and SunUra does not exercise public authority in a way that mandates the processing of personal data. Thus, these legal bases are not applicable.

2. Do the Basic Requirements for Legitimate Interest Apply?


Is the interest lawful?
Answer: The Act on Public Employment and Business Services enables SunUra’s coaching activities.

Is the interest clearly expressed?
Answer: Data subjects are informed through the privacy notice published on SunUra’s website. The notice is also linked in invitations and communications. The balancing test will also be made publicly available.

Does the interest represent a real and immediate need?
Answer: SunUra’s core mission is to provide coaching services. This is the fundamental reason for the company’s existence.

3. Is the Processing Necessary to Achieve the Interest?

Would it be possible to achieve the same outcome with less impact on data privacy?

Answer: No, the data collected is the minimum required to deliver the described service.

To be a legitimate interest, the processing must be necessary for exercising a fundamental right or a broader public interest and be proportionate to that purpose. Relevance in EU or national law strengthens the legitimacy.

4. Does the Interest Override the Rights and Freedoms of the Data Subject?

Controller or Third-Party Interest:

  • What is the interest?
    Answer: The right to offer coaching and contribute to employment support.
  • What benefit does the processing provide?
    Answer: Enables or facilitates service delivery.
  • What harm would arise from not processing the data?
    Answer: Services could not be provided or would be significantly harder to deliver.

Impact on the Data Subject:

  • What type of data is being processed?
    Answer: Name, personal identification details, and contact information (email, phone number, and address if no email is available).
  • How is the data processed?
    Answer: Information is collected directly from the data subject or received from TE Services or the municipal employment trial.
  • Impact of the processing on the individual:
    Answer: Enables the individual’s employment plan to be realized and allows eligibility for unemployment-related social benefits. Data processing is necessary in this context.
  • Are the data sensitive?
    Answer: No sensitive data categories are involved.
  • Would the data subject expect their data to be used this way?
    Answer: Yes. Processing is necessary to ensure access to services and communication with TE Services.
  • Is it likely that the data subject would object to the processing?
    Answer: No.
  • Position of the controller vs. the data subject:
    Answer: SunUra is a service provider, offering coaching upon referral by an authority (e.g., TE Services). SunUra cannot require participation without the authority’s mandate.
  • Are children’s data processed?
    Answer: No.
  • Is the data subject otherwise in a vulnerable position?
    Answer: No.

Identified Risks and Safeguards

Potential risks include:

  • Use of insecure systems → mitigated by using secure, privacy-compliant systems.
  • The coaching referral from TE Services may come as a surprise → however, this falls under TE Services’ obligation to inform.

Temporary balancing:
Risk of disproportionate impact is minimized through appropriate security and transparency measures.

5. Ensure Additional Safeguards

As noted above, technical and organizational measures such as secure systems and staff training are in place to ensure both data protection and information security.

6. Demonstrate Compliance and Ensure Transparency

This document records the balancing test and must be retained. SunUra operates transparently and can justify to data subjects and supervisory authorities that processing is based on legitimate interest. Data subjects are informed of their right to object. Documentation is kept up to date, and the test will be repeated if needed.