GDPR Legitimate Interests

Under GDPR legitimate interests is the most flexible lawful basis for data processing.

Table of Contents

What is the legitimate interests lawful basis for data processing?

In Article 6(1)(f) of GDPR, a lawful basis for processing is presented called legitimate interests. It says:

“[where] processing is necessary for the purpose of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.”

How do companies work out whether they are pursuing a legitimate interest?

‘Legitimate interests’ covers a wide range of interests, whether of the company, third parties, commercial or for wider societal reasons.

GDPR says that examples of legitimate interests include (but are not restricted to):

• Use of client or employee data
• Marketing
• Fraud prevention
• Intra-group transfers
• IT security

These three questions can help determine legitimate interests for data collection and use:

1. Purpose: why do you want the data?
2. Necessity: is the data processing necessary for the primary purpose?
3. Balancing: do the individual’s interests outweigh the legitimate interest?

The data processing must be targeted and a balanced way of achieving the overall purpose. Legitimate interests can’t be relied on as the legal reason for data processing if there is another less intrusive way to achieve the same end.

When is legitimate interests appropriate and lawful?

It is the most flexible lawful basis for data collection, but not always the best option.

Legitimate interests is most appropriate as a lawful basis where companies use personal data in a way that individuals can reasonably expect. If it impacts individuals, it can still apply if the controller company can justify there is a compelling reason for the impact the processing will have.

Companies can rely on legitimate interests for marketing purposes if they can prove that the data usage is proportionate and fair to the user. It must have a minimal impact on the user in privacy terms and be for a reason that people would not be surprised at.

If legitimate interests is considered to process children’s data, extra care must be taken to protect the user interests.

Avoid legitimate interests as a lawful basis if:

• You think people might object.
• You think people won’t reasonably expect you to use their data for your purpose.
• You think people won’t understand.
• If the data processing could cause harm.
• If you are a public authority – public authorities can’t rely on legitimate interests for any data processing unless there are commercial interests.

Do you need a legitimate interests assessment (LIA)?

Before you begin data processing, carry out an LIA risk assessment based on the specific purpose for the data. This will help to determine the lawfulness of the data processing.

Record the LIA under the accountability obligation that can be found in Articles 5(2) and 24 in the GDPR document. To identify the legitimate interest, ask the following:

• What is the overall goal for the data processing?
• Who will benefit from the data processing and how?
• What are the wider public benefits of the data processing?
• Is there any way your use of the data could be unethical or unlawful?

To decide whether it’s necessary, ask:

• Will this data processing actively further the overall interest?
• Is this a reasonable way to reach the goal?
• Could there be a less intrusive way to get the same result?

To decide whether it’s properly balanced for users, ask:

• What is the relationship between the company and the user?
• Is any of the data considered sensitive or special?
• Would the user reasonably expect you to use their data in this way?
• Could some users object and say it’s too intrusive?
• How will the data processing impact the individual?
• What safeguards can you put in place to minimise the impact?

From this you can make a decision about whether legitimate interests is an appropriate lawful decision or whether you should find a more appropriate basis.

For more information and detailed guidance on legitimate interests, head to the ICO website here.

If you require help with a GDPR Compliance, Online Reputation Management, Removing content from Google, or a Right to be Forgotten request, please use the form below. By submitting an enquiry you agree to the gdpreu.org privacy policy.