Legitimate Interest Policy


1. Scope and Applicability

This Policy sets out Werfen Limited (“Werfen UK”) legitimate interest for processing personal identifiable information (PII) and personal sensitive data linked to compliance with Global Data Protection Regulations (GDPR), this document applies to customers, and suppliers of Goods and Services to Werfen Limited.

 

2. Policy Statement

Werfen UK will use Legitimate Interest as one of it’s the basis of its GDPR compliance, for processing PII from customers and suppliers.

The Legitimate Interest justification is based on the following excerpt from the General Data Protection Regulation which outlines where Legitimate Interest can be used:

  • Under Article 6 1(f) –

processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of Personal Data, in particular where the data subject is a child.’

Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.

  • Under Recital 47 -

The legitimate interests of a controller, including those of a controller to which the Personal Data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller.

Further, the GDPR states that “the processing of Personal Data for business activities and purposes may be carried out for a legitimate interest. An organisation may wish to rely upon Legitimate Interests where consent is not viable or not preferred and the balance of interest’s condition can be met.” Werfen UK has thus carried out a Legitimate Interest Assessment.

 

Legitimate Interest Assessment –

Where required, Werfen UK will undertake a Legitimate Interest Assessment, this has been identified as a 3-step process:

  1. Identifying a Legitimate Interest

  2. Carrying out a Necessity Test

  3. Carrying out a Balancing Test

All Assessments will be available to the relevant data subjects and formal notification of the processing activities and justification will be provided.

 

Werfen UK Customer Personal Information -

Identifying a Legitimate Interest

Werfen UK has a legitimate interest in processing the personal data of data subjects that are likely to use Werfen UK products or services. The only personal data that is held and stored and processed by Werfen UK is name, business job function, and contact details. Segmentation is done by their customer history, if any, and their organisation, industry or professional and technical expertise. All the services provided by Werfen UK have direct relevance to the data subject.

Necessity Test

The processing is necessary in pursuit of the interests above. Werfen UK has examined alternatives and the only alternative available – unambiguous opt-in – was reviewed and rejected as impossible to implement given the range of our products and services. Our users and equipment are in use 24 hours a day, with limited access to email, we also have a continuous sales cycle with the same data subjects being key players across multiple markets.

Balancing Test

Werfen UK has conducted a balancing test to ensure that our interests do not override those of data subjects.

We believe that the data subjects will have a reasonable expectation of being contacted by Werfen UK because of their job responsibilities.

The data we hold and use is always connected to an individual’s business and professional responsibilities.

All data subjects are given notice and choice when added to the contacts database. They are informed about the legal basis of our processing, the purpose of this (for use by Werfen UK and its partners). They will have access to the data we store about them and it will be kept accurate and secure.

 

Werfen UK Supplier Personal Information -

Identifying a Legitimate Interest

Werfen UK has a legitimate interest in processing the personal data of business to business contacts that likely to use and do interact with Werfen UK, in the provision of Goods and services. The only personal data that is held and stored and processed by Werfen UK is name, business job function, and contact details. All details are kept, to support provided services, linked with Werfen UK’s internal quality management system requirements, we may keep your records after a supplier cesses activity with Werfen UK, to support our internal processes.

Necessity Test

The processing is necessary in pursuit of the interests above. Werfen UK has examined alternatives and the only alternative available – unambiguous opt-in – was reviewed and rejected as impossible to implement given the nature of the interactions with our suppliers.

Balancing Test

Werfen UK has conducted a balancing test to ensure that our interests do not override those of data subjects,

We believe that the data subjects will have a reasonable expectation of being contacted by Werfen UK because of their job position / role and associated responsibilities.

The data we hold, and use is always connected to an individual’s business and professional responsibilities.

 

All data subjects will provide their PII directly to Werfen UK representatives, either over the phone / face to face or via electronic communication, there information will be added to the contacts database, the data subjects reserve the right to inform Werfen directly during this process to be excluded from our contacts database, all contacts are informed about the legal basis of our processing, the purpose of this (for use by Werfen UK and its partners). They will have access to the data we store about them and it will be kept accurate and secure.

 

3. Responsibility and Authority

This policy is produced by the Data Protection Delegate (DTS), the objectives are set by Senior Management team of Werfen UK and the policy is approved by the General Manager. The Information Technology and Information Security Group is responsible for supporting the adherence to this policy and any related procedures.

 

4. General

This policy aligns to the requirements and expectations defined within ISO 27001:2013 and ISO 9001:2015


 

Signed:  Richard Hames, General Manager

Signed:   Daniel Maud, Data Protection Delegate

 

For and on behalf of Werfen UK