Home
//
Company
//
Legal
//
Legitimate Interest Assessment

Legitimate Interest Assessment

Last updated: April 15, 2026

Megadeals International AB / Njord

Background

When processing personal data under the General Data Protection Regulation 2016/679 (“GDPR”), a legal basis for processing must always be identified. There are six legal grounds for legitimately processing personal data.

Consent is one way. As a private company, a common legal basis for processing personal data is “legitimate interest”. Megadeals envisages the legal basis of legitimate interest in processing personal data in connection with its services.

Introduction to the ground of legitimate interest

According to Article 6.1(f) GDPR, a legal basis to process personal data exists if the processing is necessary for the legitimate interests pursued by the data controller or a third party. When using legitimate interest as the legal basis, the data controller should assess whether the interest in processing personal data outweighs the interests or fundamental rights and freedoms of the data subject. It is clear that it is possible to process personal data for direct marketing purposes based on a legitimate interest in many situations.

Who needs to carry out the legitimate interest assessment?

A legitimate interest assessment should be performed by the party intending to process personal data using legitimate interest as a legal basis. That party is referred to as the data controller. The individuals who will be targeted are referred to as the data subjects.

Since Megadeals’ customer ultimately decides the purposes and means of data processing, the customer will be considered the data controller under the GDPR. The customer will therefore formally need to conduct a legitimate interest assessment when using Megadeals’ services.

Purpose

The data controller intends to process personal data to reach key contacts and forge key business relationships. By building brand awareness, engagement and business relationships, the data controller expects to benefit from increased brand positioning, revenue, enhanced earning capacity with new and existing customers, and establishing dominance within its market segment. The data subjects will be targeted with advertising campaigns based on their engagement and business relationship with the data controller. The processing of personal data will also benefit the data subjects by increasing their awareness of relevant products and services. The data controller and subjects are part of a finite market. These targeting methods are essential to find key stakeholders.

Instruction: If you wish to add information specific to your company, please add it to the section above.

Assistance According to This Document

Megadeals is committed to guiding you through establishing a legitimate interest. By providing the necessary documentation and support, you will have the tools to finalise a legitimate interest assessment. The purpose of this document is to simplify the performance of a legitimate interest assessment. (Please note that this does not mean that Megadeals should be considered a controller or joint controller.)

By following and finalising the steps below, you (the data controller) can assess whether the legitimate interest outweighs the interests or fundamental rights and freedoms of the data subject. To help simplify the process, the assessment of a hypothetical data controller using Megadeals’ services has been completed as an example. It is essential that the assessment be revised and updated with applicable information concerning the data controller’s specific business and agreed transaction. Megadeals will be happy to assist with any questions or comments.

Instructions

The steps below should be followed when assessing whether there is a legitimate interest. The assessment is based on five steps:

• Personal Data Process Description: The description should be as detailed as possible to provide an overview of the process and establish that the actions chosen are within the purpose.

• Identifying a Legitimate Interest: This part of the assessment confirms that the data controller has a legitimate interest in processing personal data. It is important to decide on and establish this interest before processing.

• Necessity Test: This step helps the data controller assess necessity in relation to less intervening methods used to achieve the described purpose.

• Balancing Test: Circumstances to consider when assessing whether the data controller’s interest in processing personal data outweighs the interests or fundamental rights and freedoms of the data subject.

• Conclusion: The final step helps the data controller decide whether the legitimate interest outweighs the data subject’s interests or fundamental rights. If there are uncertainties, please contact Megadeals.

This document should be finalised and adjusted to fit the data controller’s business.

Questions concerning this assessment should be addressed to: david@megadeals.com / david@njord.io

Assessment of Whether There Is a Legitimate Interest

Step 1. Description of the Personal Data Processing

Describe the personal data processes.

The data controller will, by using a business solution service, target key companies (accounts) and stakeholders, and market products/solutions that they believe will be beneficial to those businesses and the targeted subjects. By using personal data collected from available and public sources like LinkedIn, the data controller helps the data subject receive relevant information about innovative products/services that could be beneficial to them while also marketing their own category, subcategory, and products/services.

The personal data collected is data voluntarily provided by the data subject when creating a social media account with LinkedIn. The personal data processed is public information such as name, job title, company and, in some cases, email address. For larger companies, information about their business organisation will also be processed to better locate and target the relevant categories of professionals.

No special categories of personal data will be processed.

Instruction: Please revise and add information specific to your business.

Purpose of processing personal data

The purpose of processing personal data is to optimise business flows by targeting key stakeholders within a finite market who have the influence to purchase the products/services provided by the data controller.

Step 2. Identifying a Legitimate Interest

Is the processing of personal data of legitimate interest to the data controller?

Yes, the processing of personal data is of legitimate interest for the purpose of marketing products and services to concerned businesses. By engaging key accounts and stakeholders to establish a business relationship, the data controller aims to market their products and services to the professional categories that have the possibility to increase the data controller’s sales and brand awareness.

Is the interest of importance to the data controller?

Yes, without sufficient marketing, the data controller will have difficulties reaching the concerned businesses and consequently fail to thrive. It is of critical importance to rapidly target and reach targeted customers to grow the business. By processing public information, the data controller can navigate quickly and find the stakeholders and key accounts to direct its marketing actions.

Is the interest legitimate?

Yes, the personal data processed is mainly collected from public sources like LinkedIn, where the main purpose is to build and establish business relationships. The advertisement will contribute to furthering the relationship between the data controller and the data subject’s companies.

Identify a Third Party’s Legitimate Interest

Is the processing of personal data of interest to a third party or the public?

Yes, the targeted subjects work within companies that provide the public with products and services. The advertisement will help bring these innovations in front of the public.

Is the interest of importance to a third party/the public?

Yes, there is a public interest in providing information concerning the data controller’s products/services. The marketing actions will help bring awareness to new innovations.

Has a legitimate interest been established?

Yes – please proceed.

Step 3. Necessity Test

Is it a necessity to process personal data? Is it possible to achieve the purpose without processing personal data?

Yes, it is necessary to process personal data to achieve the purpose. It is not possible to achieve the purpose without the processing of personal data.

By using a service that helps optimise and engage key contacts and stakeholders with the data controller’s existing customers and, in some cases, new customers within the data controller’s market segment, the data controller can provide its products/services to a relevant group of individuals. The key contacts and stakeholders targeted are mainly individuals in professional categories who expect to be approached and targeted by relevant companies.

Is the processing of personal data considered proportionate in relation to the determined purpose?

Yes, the personal data processed is mostly information already available to the public. The information chosen is just enough to find and engage a relationship by targeting chosen subjects with relevant products and services. Personal data is collected at the point of need, processed and used immediately.

Personal data will not be retained for longer than is necessary for the purposes for which it was collected. For data processed in connection with active campaigns, necessity is determined by reference to the duration of the campaign and any reasonable follow-up period required to measure outcomes. Data that is no longer necessary for these purposes will be deleted promptly, and in any case within 30 days of the point at which necessity ceases. Upon a valid erasure request from a data subject, data will be deleted within 30 days of the request. Upon termination of the Agreement, all personal data will be deleted or returned in accordance with the Data Processing Agreement.

Is it possible to achieve the same purpose using other methods that less affect the data subject’s personal integrity?

Yes, by contacting all employees of the data controller’s existing customers, publishing adverts, sending emails, texting, and calling on the phone, it is possible to reach some of the targeted individuals. These efforts would demand the data controller to hire or have people with its staff to map and understand the market to target and advertise to the right categories of people within the concerned marketing segments.

Should an alternative method to process personal data result in unreasonable efforts?

Yes, the efforts that would need to be taken would be expensive and require extensive time and research. Further, the result would risk not becoming as successful since the time needed to map, understand the market, and find the key people within would take much longer. There is also a risk that the individuals approached will find it intrusive if the efforts to engage are too aggressive. These methods would also result in unnecessary advertisement to individuals and professionals who are not interested in or in need of the data controller’s products/services.

Is it necessary to process personal data to achieve the purpose?

Yes – Proceed.

Step 4. Balancing Test

Assess the Data Processing and the Interest Nature

Should the data subject expect this kind of processing of personal data?

Yes, the information is collected from public sources like websites and professional platforms, with the aim of attracting interested and relevant businesses. To do so, the data subject provides these platforms with information to receive and be approached with offers by companies within their field of business.

Will the data subject receive specific information concerning the processing of personal data?

Yes, the data subject will be provided with general information about the processing of personal data in connection with the advertisement.

Does the data controller have an established relationship with the data subject?

Yes, most of the data subjects are existing customers whom the data controller hopes to develop and expand an existing relationship to increase revenue. In some cases, new customers are targeted within the data controller’s market segment.

What kind of personal data will be processed?

Mainly personal information that the data subject has made available, such as name, company, job title, business email address, country of residence, and URL link to LinkedIn.

How is the personal data collected?

From another source: LinkedIn, Apollo and the official board.

Assess the Consequences of the Processing of Personal Data

Is the processing of personal data favourable to the data subject?

Yes, the data subject will have the possibility to purchase products/services to expand their own business or place of work.

Are there negative effects for the data subject in relation to the processing of personal data?

Yes, there is a minor risk that the data subject feels tracked if there is excessive exposure to the data controller’s brand. However, the risk is considered to be minor, and security measures have been taken to ensure that information is deleted when no longer necessary. The personal data processed is limited to a few accounts and individuals.

Is it likely that the data subject will think of the processing of personal data as invasive or inappropriate?

No, the information is collected from public sources and should only concern work-related information. Further, the information is collected from sources like LinkedIn, where the purpose is to build and develop business relationships.

Will the processing of personal data require more personal data than what is processed by the data controller or a third party?

No, the information processed is the essential information needed to achieve the data controller’s purpose.

Will the processing of personal data result in sharing personal data with a third party?

No, however, the data controller will use a data processor to process personal data in accordance with the purpose and means decided by the data controller.

Would a personal data breach result in serious effects on the data subject?

No, the information is already known and available to the public.

Will the risk of personal data breach increase through the processing of personal data?

Yes, but security measures have been taken to prevent a personal data breach. Only an authorised person will have access to the archived data.

Will the data controller be subject to negative consequences if personal data is not processed?

Yes, the data controller will have problems growing its business and finding its key contacts.

General Information Concerning the Assessment

Will a third party with a legitimate interest be subject to negative consequences if personal data is not processed?

No.

Are the parties equal? Is there a power imbalance between the data controller and the data subject?

No. A power imbalance exists primarily because the data controller is an organisation with access to tools and resources that allow it to collect, analyse, and use data for targeted marketing. However, this imbalance is mitigated by the fact that the data subject has willingly shared their professional information on public platforms with the expectation of being approached by businesses. Furthermore, the data subject has the right to object to the processing and has control over their data visibility on platforms like LinkedIn, balancing some of the inherent power dynamics between the parties.

Are there other relevant circumstances concerning the processing of personal data that should be included in this assessment?

No.

Assess the Relevant Security Measures

Is it (or will it be) possible to object to the data processing before it begins?

No. However, the possibility to object as soon as the processing has begun still stands.

Is it (or will it be) possible to object to the processing of personal data after the processing has begun?

Yes, the data subject can notify the data controller or the social media platform displaying the advertisement to object to the processing of personal data. There is also the possibility to have the data controller explain the processing details to the data subject.

Is it (or will it be) clear to the data subject that it is possible to object to the processing of personal data?

Yes.

Is it (or will it be) clear to the data subject that security measures have been taken to safeguard the processing of personal data?

Yes, using the SHA-256 cryptographic hash function, the personal data is secured. The hash function is one of the most used pseudonymisation techniques. Further, security measures that prevent unauthorised access have been taken. By using identification and authentication procedures, only a limited number of people has access to the archived data.

Step 5. Conclusion

Based on the answers above, is it established that the data controller’s interest in processing personal data outweighs the data subject’s interests or fundamental rights and freedoms?

Yes.

What is the reason for this conclusion?

The personal data processed is sourced from publicly available platforms such as LinkedIn, where individuals voluntarily share their professional information with the intent of engaging in business networking and receiving relevant business-related communications.

The data is used in a B2B context, primarily targeting professionals within their work capacity. Only essential data required for targeted marketing is processed, ensuring proportionality. Comprehensive security measures, including encryption and restricted access, have been implemented. Individuals retain the right to object to the processing.

Instruction: Please finalise this section with information specific to your business.

The person responsible for the assessment: _______________

The assessment is finalised by: _______________

Date of finalisation: _______________

Contact Information

Questions concerning this assessment should be addressed to:

Email: david@megadeals.com / david@njord.io

Phone: +46 73 359 56 55

Company Information: Megadeals International AB (trading as Njord), reg. no 559220-2120

Address: Mäster Samuelsgatan 42, 111 57 Stockholm, Sweden

Address:
Mäster Samuelsgatan 42
111 57 Stockholm
Contact:
+46 73-359 56 55
hello@njord.io
Complex deals made simple
Legal NoticeTerms and ConditionsData Processing AgreementPrivacy PolicyLegitimate Interest AssessmentThird-party Audit Readiness Pack
© 2026 Megadeals International AB. All rights reserved.