Legitimate interest documentation

Overview of the applicable regulation

Pursuant to Article 6 of the GDPR, any processing of personal data must have a legal basis in order to be lawful.

Six legal bases are provided for by the GDPR:

  • consent ;
  • contract ;
  • legal obligation;
  • protecting vital interests ;
  • public interest ;
  • the legitimate interests pursued by the controller.

To base processing on its legitimate interests, the data controller must meet certain requirements. It must weigh its interest against the "interests or fundamental rights and freedoms of individuals" and must also take into account the "reasonable expectations" of such individuals. This "balancing" of the rights and interests in question must be carried out for each processing operation based on legitimate interest, with regard to the concrete conditions of its implementation (Art. 6 and recitals 47 to 49 of the GDPR).

The CNIL has established the following methodology, which it recommends to follow so that the data processor can validly rely on legitimate interest as a legal basis:

  1. Identification of the "legitimate" nature of the interest pursued by the controller
  2. Verification of the "necessary" nature of the processing in the light of this objective ;
  3. Assessment of the infringements of the interests and rights and freedoms of individuals and taking into account their reasonable expectations with the aim of balancing these elements and, where applicable, providing for additional measures.

The CNIL specifies that this approach must be followed in all cases, including in cases where the legitimate nature of the interest pursued by the controller is obvious.

Details of this methodology are attached as an appendix.

1. Identification of the legitimate interests pursued
 Processing concernedOFFERWALLAPI OFFERSRTB
Definition

MOBSUCCESS collaborates with publishers under contract. Internet users will browse the publishers' media and be exposed to personalised or non-personalised advertisements, depending on the consent provided through the mobile application.

MOBSUCCESS collaborated with intermediaries who are under contract with publishers. MOBSUCCESS will use API technology and tracking links to disseminate advertisements. Internet users will be exposed to advertisements through the publishers, who will have selected the advertisements to be disseminated from the campaigns offered by the intermediary, which, in turn, will have obtained them from MOBSUCCESS.

MOBSUCCESS uses RTB programmatic advertising systems to deliver the advertisements of its advertising clients (online bidding system where bids are made in the form of Bid Requests)

MOBSUCCESS service

This processing is part of the "App Marketing" services of MOBSUCCESS, which consist of the dissemination of personalised or non-personalised advertisements on behalf of advertising clients for the purpose of promoting mobile or internet applications and encouraging Internet users to carry out an action related to the application (for example: downloading an application). The action carried out by the Internet user may result in the granting of a reward or credit for the benefit of the latter (incentivised advertising)

This processing is part of the "Drive to store" services of MOBSUCCESS, which consist of the dissemination of personalised advertising on behalf of advertising clients in order to promote a brand and, in conjunction with the advertising client, the measurement of the performance of advertisements aimed at bringing Internet users to stores or points of sale.

Processing based on legitimate interest

Crediting the Internet user according to the action taken

Crediting the publisher

Preventing fraud

Crediting the Internet user according to the action taken

Crediting the intermediary

Preventing fraud

Ensuring security, preventing and detecting fraud, debugging errors

Legitimate interest pursued

Crediting the Internet user according to the action taken : it is in the legitimate interest of MOBSUCCESS to carry out its activity by allowing the Internet user to benefit from the reward promised as part of the incentivised advertising.

Crediting the publisher / intermediary : it is in the legitimate interest of MOBSUCCESS to carry out its activity by remunerating the publisher / intermediary, according to the advertisements disseminated.  

Preventing fraud : it is in the legitimate interest of MOBSUCCESS to secure its activity and the service it sells to its advertising clients, by making sure it credits only a real Internet user, who has respected the rules of incentivised advertising (e.g. not crediting a fake profile created by a robot).

Ensuring security, preventing and detecting fraud, debugging errors : it is in the legitimate interest of MOBSUCCESS to secure its activity and the service it sells to its advertising clients, by ensuring (i) that the advertisements are disseminate to real Internet users and not to robots (ii) that it identifies possible technical problems and corrects them.

2. Assessment of legitimate interest
Traitement concernéOFFERWALLAPI OFFERSRTB
Legitimacy (lawful, determined, real and present interest)

Balance of interests with the reasonable expectations of individuals : this interest is lawful under French law. It is determined and explained in the Mobsuccess privacy policy. It is real as it aims to allow the implementation of incentivised advertising as part of the App Marketing services of MOBSUCCESS.

Crediting the publisher / intermediary : this interest pursued is lawful under French law. It is determined and explained in the Mobsuccess privacy policy. It is real as it enables the implementation of the App Marketing services of MOBSUCCESS by compensating the publishers / intermediaries which have disseminated the advertisements of the advertising clients.

Preventing fraud : this interest is expressly referred to as legitimate in the GDPR (recital 47)

Ensuring security, preventing and detecting fraud, debugging errors :  this interest is expressly referred to as legitimate in the GDPR (recital 47).

Necessity

Crediting the Internet user according to the action taken : the very principle of incentivised advertising consists in seeking an action from the Internet user and rewarding them when they carry it out, which requires identifying them.

Crediting the broadcaster / broadcasting intermediary : this interest is necessary in the sense that the implementation of the activity of MOBSUCCESS requires it to be able to remunerate its publishers / intermediaries.

Preventing fraud : it is obviously necessary for MOBSUCCESS to secure its activity, for example in order not to credit fake profiles.

Ensuring security, preventing and detecting fraud, debugging errors :  this interest is necessary because MOBSUCCESS is accountable to its advertising clients and must ensure that it does not provide a service that is misleading or has technical defects.

Balance of interests with the reasonable expectations of individuals

Crediting the Internet user according to the action taken :  Internet users can naturally expect MOBSUCCESS to collect their data in order to credit them since the advertisements displayed will encourage them to take actions in return for rewards. 

Crediting the publisher / intermediary : Internet users can reasonably expect that an incentivised advertising display service includes a remuneration system for the various players and therefore requires monitoring and collection of data. The measures put in place to credit publishers / intermediaries remain proportionate to the rights and interests of Internet users:

> MOBSUCCESS collects only the data strictly necessary to ensure the display of advertisements and to credit publishers / intermediaries;

> MOBSUCCESS asks Internet users for their consent for other potentially more intrusive purposes (e.g. selection of advertisements, targeting, measurement of frequency and performance of advertisements).

Preventing fraud : Internet users can reasonably expect MOBSUCCESS to take anti-fraud measures and collect certain data for this purpose. These measures remain proportionate to the rights and interests of Internet users:

> MOBSUCCESS collects only the data strictly necessary for this purpose;

> MOBSUCCESS does not use intrusive means to prevent fraud (no systematic monitoring is carried out).

Ensuring security, preventing and detecting fraud, debugging errors : Internet users can reasonably expect MOBSUCCESS to take anti-fraud measures to ensure a quality service for its clients.

These measures remain proportionate to the rights and interests of Internet users

> MOBSUCCESS collects only the data strictly necessary for this purpose;

> MOBSUCCESS asks Internet users for their consent for other potentially more intrusive purposes (e.g.: selection of advertisements, profiling, targeting, measurement of frequency and performance of advertisements).

> MOBSUCCESS does not use intrusive means to prevent fraud (no systematic monitoring is carried out).

3. Conclusion

In the light of all these elements, it can be considered that the “OFFERWALL”, “API OFFERS” and “RTB” processing can be based on the legitimate interests pursued by MOBSUCCESS for the purposes referred to in the tables above.

Appendix - The methodology recommended by the CNIL

In order to check that data processing is based on legitimate interest, it is necessary to verify 3 conditions:

1. The legitimacy of the interest pursued

In accordance with the examples set out in particular in recital 47 of the GDPR, the CNIL states that this legal basis can be considered for data processing :

  • that aims to ensure the security of the network and information,
  • implemented for the purposes of preventing fraud,
  • necessary for commercial prospecting operations with customers of a company,
  • relating to customers or employees within a group of undertakings for internal administrative management purposes;

Beyond these examples, the "legitimate" nature of the interest pursued by an organisation can be presumed if the following 3 conditions are met :

  • the interest is manifestly lawful under the law;
  • it is determined in a sufficiently clear and precise manner;
  • it is real and present for the organisation concerned, and not fictive.

2. The necessity of the interest pursued

The organisation must verify that the intented data processing actually achieves the objective pursued, and not, in reality, other objectives. It must also ensure that there is no less intrusive way with regard to privacy to achieve this goal than the intended processing (e.g. a system that does not process personal data, or a different system of processing that is more protective of privacy).

3. The balance of interests: the processing must not override the rights and interests of the individuals whose data are processed, taking into account their reasonable expectations.

The organisation must balance and weigh up the rights and interests in question, and verify that the interests (commercial, security of property, anti-fraud, etc.) pursued do not override the rights and interests of the individuals whose data are processed.

The aim is therefore to ensure that the interest pursued and the processing carried out remain proportionate to the interests of the data subjects.

In practical terms, the organisation must first identify the consequences of all kinds that its processing may have on the data subjects: on their privacy but also, more broadly, on all the rights and interests covered by the protection of personal data. This involves assessing the degree of intrusion of the intented processing into the individual sphere, by measuring its impact on the privacy of individuals (processing of sensitive data, processing concerning vulnerable persons, profiling, etc.) and on their other fundamental rights (freedom of expression, freedom of information, freedom of conscience, etc.) as well as the other concrete impacts of the processing on their situation (monitoring or surveillance of their activities or movements, exclusion from access to services, etc.). These incidences need to be measured in order to determine, on a case-by-case basis, the extent of intrusion into the lives of individuals caused by the processing.

The organisation must then take into account, in weighing its legitimate interest against the rights and interests of individuals, their "reasonable expectations". This consideration is essential with regard to processing that can be implemented without the prior consent of the individuals: in the absence of a positive and explicit act on their part, the legitimate interest requires that individuals should not be surprised by the way in which the processing is carried out or by its consequences. A good test, therefore, when an organisation is considering basing its processing on legitimate interest, is to check that the processing is in line with these expectations: demonstrating a legitimate interest will be easier for a system that can be reasonably anticipated in a given context (e.g. developing the loyalty of people who are already customers of the company), than for processing that diverges from people's expectations (e.g. using a social network involves putting people in touch with each other, but profiling their actions with a view to sending them targeted advertisements may exceed their reasonable expectations).

Finally, the organisation may provide for compensatory or additional measures to be put in place in order to limit the impacts of the processing on the data subjects and thus achieve a balance between the rights and interests in question. For example, in the case of a targeting processing of individuals’ online purchasing behaviour, which is likely to reveal numerous preferences and habits affecting their privacy, provision may be made for an unconditional right of objection for individuals, enabling them to stop the intrusive profiling they are subjected to.

If these three conditions are met, the processing may validly be based on legitimate interest.