What is a Legitimate Interest?
Legitimate interest is one of the six lawful bases for processing personal data under the GDPR.
GDPR, Article 6 says
“Processing shall be lawful only if and to the extent that at least one of the following applies:… (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
It is further described in GDPR, Recital 47
“The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller… [T]he existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing.”
Balancing Test. If you are a controller and considering legitimate interest, think of it as a balancing test. The controller must balance the interest in processing against the rights and freedoms of the data subject, and other data subjects, as well as the interests of the member state.
Why is there a balancing test? Because, the legitimate interest cannot override interests or fundamental rights and freedoms of data subject, in particular a child.
When you think legitimate interest, think
- Balancing test
- Wider context, big picture
- Controller’s legitimate interest
- Member state interests and law
- Fundamental rights and interests and reasonable expectations of the data subject
- Fundamental rights and interests of other data subjects
Necessary. To outweigh those other interests, a processing must be necessary.
Necessary means a close and substantial connection. If a controller claims that the processing is necessary, and it turns out that the processing is not necessary, then the processing is not lawful, and is instead deceptive.
An example benchmark of necessity it good encryption for the purpose of security. The purpose of security has a close and substantial relation to lawful processing of encryption.
Proportionate. In the context of legitimate interest, necessary also means proportionate, and that there is no less intrusive alternative.
Reasonable Expectations of Data Subject. The controller must take into account the reasonable expectations of the data subject. The controller might want to actually ask the data subjects what they think about the processing. Surveys, interviews, focus groups might be ways to accomplish this.
Fundamental Rights and Freedoms. To be valid, the legitimate interest cannot be overridden by the rights and freedoms of data subject. Again – a balancing test.
Public Authorities. The legitimate interest reason for processing cannot be used by public authorities.
Let’s look at some examples of legitimate interest
- Strictly necessary for preventing fraud
- Direct marketing
- Relevant and appropriate relationship, time and context (e.g., customer relationship)
- Transmitting within a group of undertakings for internal administrative purposes, including employee data
- Strictly necessary and proportionate for security
In sum, to use legitimate interest as a reason for lawful processing, the processing must be necessary, as balanced against the reasonable expectations as well as fundamental rights and freedoms of the data subject.