Under GDPR legitimate interests is the most flexible lawful basis for data processing.
Table of Contents
In Article 6(1)(f) of GDPR, a lawful basis for processing is presented called legitimate interests. It says:
“[where] processing is necessary for the purpose of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.”
‘Legitimate interests’ covers a wide range of interests, whether of the company, third parties, commercial or for wider societal reasons.
GDPR says that examples of legitimate interests include (but are not restricted to):
These three questions can help determine legitimate interests for data collection and use:
The data processing must be targeted and a balanced way of achieving the overall purpose. Legitimate interests can’t be relied on as the legal reason for data processing if there is another less intrusive way to achieve the same end.
It is the most flexible lawful basis for data collection, but not always the best option.
Legitimate interests is most appropriate as a lawful basis where companies use personal data in a way that individuals can reasonably expect. If it impacts individuals, it can still apply if the controller company can justify there is a compelling reason for the impact the processing will have.
Companies can rely on legitimate interests for marketing purposes if they can prove that the data usage is proportionate and fair to the user. It must have a minimal impact on the user in privacy terms and be for a reason that people would not be surprised at.
If legitimate interests is considered to process children’s data, extra care must be taken to protect the user interests.
Before you begin data processing, carry out an LIA risk assessment based on the specific purpose for the data. This will help to determine the lawfulness of the data processing.
Record the LIA under the accountability obligation that can be found in Articles 5(2) and 24 in the GDPR document. To identify the legitimate interest, ask the following:
To decide whether it’s necessary, ask:
To decide whether it’s properly balanced for users, ask:
From this you can make a decision about whether legitimate interests is an appropriate lawful decision or whether you should find a more appropriate basis.
For more information and detailed guidance on legitimate interests, head to the ICO website here.