The GDPR: Legitimate interest – what is it and when does it apply?

The GDPR (General Data Protection Regulation) outlines six conditions under which organisations can process personal data.

Four of those conditions are relatively self-explanatory: contractual requirements, legal obligations, vital interests and tasks carried out in the public interest.

That leaves consent and legitimate interest that need to be unpacked in more detail.

We’ve covered consent before, so our focus here will be on legitimate interest. We describe how it works, provide examples of where it applies and explain how you can demonstrate it.


What is a legitimate interest?

Legitimate interest is the most flexible of the GDPR’s lawful bases for processing personal data. Theoretically, it applies whenever an organisation uses personal data in a way that the data subject would expect.

‘Interests’ can refer to almost anything here, including an organisation or third party’s commercial interests or wider societal benefits.

In general, the condition applies when:

  • The processing isn’t required by law, but there’s a clear benefit to it;
  • There is little risk of the processing infringing on data subjects’ privacy; and
  • The data subject should reasonably expect their data to be used in that way.

This might make it seem like legitimate interests is the most appropriate lawful basis for all your data processing activities, but that’s not the case. Let’s find out why.


Discover more about the GDPR in our free green paper, EU General Data Protection Regulation – A Compliance Guide


Legitimate interest and data subject rights

The flexibility of legitimate interests comes at a price; organisations that use it must thoroughly justify it in their documentation.

Unlike the other lawful bases, it’s not obvious how the condition applies. Unless you can substantiate your reasoning, data subjects will be able to object to the processing and force you to remove their records.

They can do this via a DSAR (data subject access request), which gives them a full record of the data you hold on them and the purpose for collecting it.

If they disagree with your justification for legitimate interest, the burden is on you to prove otherwise.

Given the risks associated with collecting data unlawfully under the GDPR – including the potential for a large fine – it’s risky to put your documentation up for scrutiny in this way.

Your best bet, then, is to erase the complainant’s data from your records.

If this happens once or twice, you shouldn’t necessarily be concerned, but if it becomes a pattern, it means your justification isn’t sound, and that data may have been collected unlawfully.

Examples of when legitimate interest might apply

The GDPR highlights the following as specific types of processing that are considered legitimate interest:

  • Fraud prevention
  • Network and information security
  • Indicating possible criminal acts or threats to public security

Processing employee or client data, direct marketing and intra-group administrative transfers will probably also be considered legitimate interest.

Let’s take a look at a specific example of a type of processing that is considered legitimate interest.

An organisation is looking into the way it stores job applicants’ personal details. It is legally required to store this information for six months, in case a candidate lodges a discrimination case.

However, the organisation decides it wants to retain the data for longer than this, because it foresees scenarios where an applicant wasn’t right for the role being advertised, but they might be suitable for a future position.

In this case, the organisation is entitled to hold on to personal details under the legitimate interest condition.

The data subject gave the organisation their data; there is little risk of it being misused, and keeping it is beneficial for both the applicant and the organisation.


Is legitimate interest appropriate for marketing purposes?

One of the most common questions related to legitimate interest is whether it can be used for direct marketing.

This is one of the biggest reasons that organisations collect personal data, and besides consent – which has got a lot trickier to obtain and maintain under the GDPR – there are few options for storing personal data for marketing purposes.

As such, many businesses are pinning their hopes on legitimate interest. But are they justified? The answer, as with so many things related to the GDPR, is that it depends on the circumstances.

Article 47 of the Regulation states that “direct marketing purposes may be regarded as carried out for legitimate interest” – but ‘may’ is the operative word.

If you’re confident that your marketing practices meet the criteria for legitimate interest outlined in this blog, you’re probably fine.

But if you want something more definitive than ‘probably fine’, you can always carry out a legitimate interest purpose test, which we explain in the next section.


How to demonstrate legitimate interest

The key to whether processing counts as legitimate depends on the caveat outlined in Article 6 of the GDPR – i.e. whether the benefits that come with data collection are outweighed by the

interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

How do you know when that’s the case? The ICO (Information Commissioner’s Office), the UK’s data protection authority, suggests using a three-part test.

The first part is the purpose test, which helps you decide whether the processing can be considered a legitimate interest. It’s comprised of the following questions:

  • Why do you want to process the data? What are you trying to achieve?
  • Who benefits from the processing? In what way?
  • Are there any wider public benefits to the processing?
  • If so, how significant are those benefits?
  • What would the impact be if you couldn’t process this information?
  • Would your use of the data be unethical or unlawful in any way?

The second part is the necessity test, which helps you decide whether legitimate interest is the most appropriate lawful basis. It’s comprised of the following questions:

  • Does this processing help further your interests?
  • Is processing this information a reasonable way of securing those interests?
  • Is there a less intrusive way to achieve the same result?

The final part is the balancing test, which helps you decide whether the data subject’s interests override the legitimate interest. It’s comprised of the following questions:

  • What is the nature of your relationship with the data subject?
  • Is any of their personal data sensitive or private?
  • Would people expect you to use their data in this way?
  • Are you happy to explain it to them?
  • Are some people likely to object or find it intrusive?
  • What is the possible impact on the individual?
  • How big an impact might it have on them?
  • Are you processing children’s data?
  • Are any of the individuals vulnerable in any way?
  • Can you adopt safeguards to minimise the impact?
  • Are any of the individuals vulnerable in any way?

You don’t need to document your answers to each of these questions to justify legitimate interests, but it’s worth considering them all to make sure there’s nothing you’ve overlooked.

Your documentation should then summarise your thoughts, showing that you’ve considered your obligations to keep data subjects’ personal information safe.


Become a GDPR expert

You can find more about your data protection and privacy requirements by reading EU General Data Protection Regulation (GDPR) – An Implementation and Compliance Guide.

This essential guidebook explains in simple terms the steps you must follow to meet the GDPR’s requirements. It covers everything you need to know, including:

  • Data subjects’ rights;
  • How to gain lawful consent;
  • Managing consent withdrawal;
  • Fulfilling DSARs (data subject access requests);
  • How to complete DPIAs (data protection impact assessments); and
  • Whether you need to appoint a DPO (data protection officer).

A version of this blog was originally published on 27 February 2020.

No Responses

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.