What is a “legitimate interest” and why do you need to know about it?
You have probably heard about legitimate interest as one of the six lawful bases for personal data processing under GDPR. Consent is usually seen as the last resort when “stronger” bases such as legal obligation or performance of a contract aren’t applicable. Legitimate interest, however, is often а more suitable and reliable basis that allows you to process data without constantly nudging your clients to check the “I agree” box.
Legitimate interest – the most flexible lawful base
According to Article 6(1)(f) GDPR:
“1. Processing shall be lawful only if and to the extent that at least one of the following applies:
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
GDPR introduces legitimate interest as a lawful basis for data processing without strictly defining it. The Regulation sets only data subjects’ interests, rights and freedoms as boundaries to legitimate interest which in turn makes it the most flexible lawful base. In practice, you can rely on legitimate interest for any reasonable purpose and for any type of processing.
That is, of course, as long as you meet certain criteria that balance your interests with those of the data subjects.
How to know if you have a legitimate interest?
Exactly because you could use legitimate interest in a wide range of circumstances, it’s your responsibility to prove that your necessity of processing the personal data is balanced against the interests, rights and freedoms of the individuals.
In other words, you have a legitimate interest if:
- You have a specific purpose for processing the data (purpose test).
- The processing is necessary for that purpose (necessity test).
- Your interest is not overridden by the individual’s interests, rights or freedoms (balancing test).
This means you cannot simply decide that the data processing is in your legitimate interest. You must be able to satisfy the three-part balancing test that justifies your interest as legitimate (also known as Legitimate Interests Assessment – LIA).
How to make a Legitimate Interests Assessment?
In order to make a LIA you need to do the following three tests and asses their overall outcome:
- Purpose test: the goal of this test is to identify your legitimate interest. You need to determine what are you trying to achieve and what benefits from the processing are you going to have.
- Necessity test: you need to consider whether the processing actually furthers your interest and if there are less invasive ways to achieve the same result.
- Balancing test: one of the most important questions to answer is would the subjects expect you to use the data this way. You should also consider if data is either sensitive or children’s, as well as what are the possible impacts on the individual.
You need to keep in mind that you can never be certain about the outcome of the three-part balancing test. What’s important, however, is that you are confident that the identified risks don’t override your legitimate interests.
When can you rely on legitimate interests?
Legitimate interests may be the most flexible lawful basis, but you cannot assume it’s always the right choice. If you rely on legitimate interests, you carry extra responsibility for fully considering the data subjects’ rights and interests.
Legitimate interests are most appropriate when you use data in ways that people would reasonably expect and that have a minimal privacy impact.
What are the usual legitimate interests?
- Direct marketing (Recital 47 GDPR). In that case the processing needs to have minimal privacy impact and people should not be surprised or likely to object.
- Personalization and web analysis for improving customer experience and optimizing future campaigns;
- Transmission of personal data within a group of undertakings for internal administrative purposes, including client and employee data (Recital 48 GDPR).
- Ensuring network and information security, including preventing unauthorized access to electronic communications networks (Recital 50 GDPR).
When should you avoid relying on legitimate interests?
- If you are using personal data in ways people do not understand and would not reasonably expect, or you think they might object if you explained it to them.
- You can achieve your end result without using personal data or you are not certain of the outcome of the balancing test;
- You don’t have a clear purpose and are keeping the data “just in case” (then you’re not compliant on any basis);
- There is another lawful basis that more obviously applies to the particular purpose.
What should you do now?
If you want to use legitimate interest as a lawful base for processing personal data, you need to take the following steps:
- Make a Legitimate Interests Assessment.
- Consider if you meet the requirements of the three-part test.
- Inform the data subjects about your legitimate interests for processing pursuant to Articles 13 and 14 GDPR (e.g. include the information in your Privacy Declaration).
- Update your LIA regularly in order to make sure the balance between you and the individuals hasn’t shifted.