What is GDPR Legitimate Interest?

GDPR compliance is an important consideration for any business collecting the personal data of its EU customers. The principle that underlies GDPR is that of ‘data protection by design and default‘. It means that businesses need to consider the data they collect, how it is processed, how it is secured, and why they are processing it in the first place. You will need to have a lawful basis for legally collecting and processing the users’ personal data. The principle of legitimate interest under GDPR presents a legitimate case when an organization can process your personal data without disclosing them when no explicit consent from the user is needed. That is, the concept of legitimate interest allows organizations to process personal data without consent, provided that the processing is appropriate, relevant, and not excessive.

Let’s learn more about the GDPR legitimate interest and when can you rely on it, but not before understanding the basics.

There are six lawful bases for processing the personal data of users under GDPR. Without fulfilling one of these, data processing is invalid: 

1. Consent: User’s explicit consent to process their personal data.
2. Contractual obligation: Processing is necessary to fulfill a contract between the users and the data controller.
3. Legal obligation: the processing is necessary to comply with a legal obligation.
4. Vital interests: the processing is needed to protect the vital interest of the user or another person.
5. Public interests: the processing is required for carrying out tasks for public interests.
6. Legitimate interests: the processing is necessary for the legitimate interests of your organization or a third party.

This legitimateness implies that any organization should be aware of how to take advantage of its right to use personal data for its services.

Article 6 (f) Lawfulness of processing of the GDPR states: 

Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Legitimate interest refers to the interest that an organization has to process data without explicit consent when it is necessary to fulfill the purpose, and it is reasonable to assume there would be minimal privacy impact.

Basically, you have a legitimate interest where processing is absolutely necessary and there is no other way you can fulfill the purpose without processing the data. Of course, you must ensure the legitimate interest doesn’t outweigh the fundamental rights and interests of the users.

The user data collected and processed using legitimate interest must still be protected and treated the same (if not more) as any other form of personal data, and individuals should be made aware of its uses. Your privacy policy must disclose the use of legitimate interests as the lawful basis and how they can still exercise their GDPR rights, i.e. to be informed about, object processing of, rectify, or delete personal data.

The GDPR doesn’t give much guidance on what constitutes legitimate interest. It is important to understand that the assessment of whether legitimate interests are used will remain with the data controller. If you need such an assessment, then it is better to seek a legal opinion. 

The legitimate interest is a lawful basis when:

• the processing is not mandatory by law but benefits you or others;
• minimal privacy impact on the user;
• use data in a way that the user would expect; and
• the user is unlikely to object to the processing.

The UK’s independent authority for data protection, ICO (Information Commissioner’s Office) suggest a three-part Legitimate Interests Assessment (LIA) to determine the legitimate interest under the GDPR:

1. Purpose test – is there a legitimate interest behind the processing?

The first step is to identify whether your purpose for processing the data is legitimate or not. 

The following questions may help to determine the same:

• Why do you want to process the data?
• What are the benefits of processing the data?
• Who benefits from it?
• Are there any wider public benefits to the processing?
• How important are those benefits?
• What would be the impact if you don’t process the data?
• What is the intended outcome for individuals?
• Are you complying with relevant laws and codes and conducts?
• Are there any ethical issues with the processing?

2. Necessity test – is the processing necessary for that purpose?

The necessity test will help you determine if the processing is necessary for the purpose you want to fulfill, and you can achieve that by answering the following questions:

• Is the processing necessary for the purpose?
• Is the processing proportionate to that purpose?
• Can you fulfill the purpose by processing less data or without processing the data?
• Can you fulfill the purpose by processing the data in a less intrusive way?

3. Balancing test – is the legitimate interest overridden by the individual’s interests, rights, or freedoms?

The next and final step is to ensure that your legitimate interest doesn’t interfere with the rights and freedom of the users. For that, you should consider the following:

• the nature of the personal data,
• the reasonable expectation that the users will have from you processing the data, and
• the likely impact the processing will have on the users.

The ICO has a sample template that helps carry out the LIA for your organization.

Here are a few examples where legitimate interests apply.

Fraud prevention

An organization requires to process the personal data of its users to prevent fraudulent activities. Such action is beneficial to both the controller and the users and is appropriate as a legitimate interest to process personal data.

Direct marketing

Recital 47 of the GDPR states: 

The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.

Relying on legitimate interest as a lawful basis for direct marketing gives marketers flexible relationships with users. There are cases where obtaining user consent or using any other lawful basis is impossible for marketing. Here, direct marketing may be a valid ground for processing data. However, the keyword here is “may”. Not all marketing activities can qualify as legitimate interests. You should first determine if legitimate interest is appropriate for processing data for your marketing activity. Under any circumstance where your marketing activities can be carried out without the need for processing personal data, the legitimate interest cannot be used as a lawful basis. 

In any case, transparency should be maintained. You must inform users about all necessary information about their data and processing methods so that they are aware. 

Most of the direct marketing activities are now processed electronically, which is regulated by ePrivacy laws (applied in conjunction with GDPR). Therefore, legitimate interest may not apply in this case and you will need user consent to proceed. 

Here is a checklist by ICO to understand what marketing method is appropriate for legitimate interests basis.  

Processing employee and client data

In Recital 47, it says:

Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller.

This suggests that legitimate interest could be appropriate for processing the personal data of your employees or clients for purposes like communication, employee management, monitoring, background check, health checkups, etc. which are beneficial for both parties. You have to ensure that processing the data will not override the rights and interests of the employees and there should be a reasonable expectation that they have. 

Network security

Recital 49 states that

The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, […]  constitutes a legitimate interest of the data controller concerned.

Processing personal data of users to ensure network security such as preventing unauthorized access to an electronic communications network, stopping malicious code deployment and ‘Denial of Service’ attacks.

It may seem that since direct marketing could qualify as appropriate for legitimate interests, cookies especially marketing ones will do too under GDPR.

Unlikely. 

ePrivacy Directive regulates the use of cookies on websites, and under the ePrivacy law, you require user consent to store cookies on user devices. Therefore, legitimate interests cannot be used as a legal ground for processing personal data using cookies. 

Consent, like legitimate interests, is one of the lawful bases for processing personal data. It means obtaining permission from users to collect and process their personal data. Consent can be of different types but GDPR deems explicit, specific, freely given, informed and unambiguous consent to be valid.

Consent is necessary when the processing is not bound by law or contract or is in the interest of public or vital interest. It is also used when the processing outcome may not be what the users would expect or it interferes with the user’s privacy and their rights and interests. 

Anywhere where legitimate interests would not be appropriate for processing the personal data, consent is the next best option. 

If you are confused about which lawful basis will apply to you, you can start by defining the purpose for processing, and then conduct a Data Protection Impact Assessment (DPIA). The DPIA will determine whether you can use consent or legitimate interests as the valid grounds for the processing. 

Obtaining consent is difficult than using legitimate interests as the lawful basis. However, it is one of the most genuine methods to proceed with processing as you have the user’s permission.