A legitimate interest assessment is a three-step test to determine whether you actually have a legitimate interest in carrying out the processing, the need for the processing to achieve your legitimate interest and whether the rights and freedoms of data subjects outweigh your interest, in which case you cannot invoke the legitimate interests of the processing and you must obtain the consent of the data subjects. You will find a legitimate interest assessment form in my GDPR compliance package which you can access under //www.suzannedibble.com/gdprpack Yes. Individuals can claim compensation from co-responsible persons in the same way as any single manager. Any joint controller is liable for all damage caused by the processing, unless he is able to demonstrate that he is in no way responsible for the event that causes the damage. The agreement between controllers is not relevant for these purposes. A luxury car company collaborates with a design fashion brand to organize a co-branding promotional event. The companies decide to organize a draw during the event. They invite participants to enter the draw by entering their name and address into their contest system at the event. After the event, the companies send the prizes to the winners. You do not use the personal data for any other purpose. Although Article 26 of the GDPR requires an agreement between joint controllers, no written agreement is required between co-responsible persons, but a written agreement to prove the agreement is good practice and helps to prove liability. Article 26 also provides that the core of the agreement must be made available to data subjects (probably in data protection notices) and that a contact point may be designated for data subjects.
Regardless of the nature of the agreement and the division of responsibilities between the joint controllers, a data subject may exercise his or her rights vis-Ã -vis each of the joint controllers. If you transmit personal data to third parties, whether as a jointly responsible company or to an independent controller, you must have a legal reason to process the personal data in this way. It is possible to share data on the basis of the legitimate interests of the processing, but you must carry out a very careful assessment of the legitimate interests in order to guarantee legality – and of course to keep them if you are ever challenged. If, as a joint controller of a person, you had to pay compensation but were not fully responsible for the damage, you may be able to recover from another controller or subcontractor the part of the compensation for which they were responsible. Consent is not valid if you ask the data subjects to agree to receive direct marketing from “hand-picked partners” or any other similar generic description. Consent is not valid, even if a long list of general categories of organisations is made available to the individuals concerned. If you can invoke legitimate interests, you must inform the data subjects of the transmission of the data and grant them the right to opt-out. . .