September 7, 2022

What are "legitimate interests"?

What are "legitimate interests"?

Insufficient fulfilment of data subjects rights has among the highest number of violations of the General Data Protection Regulation (GDPR) and total number of fines imposed to date. In this article, we will focus on a particular article that covers the "legitimate interest" of an organization as grounds for data collection - the most flexible of the GDPR’s lawful bases for processing personal data.

What are "legitimate interests"?

Chapter 2 Principles Art.6 - Lawfulness of Processing 1(f) states:

processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

"Legitimate interests" generally apply whenever an organization uses personal data in a way that the data subject would expect, which includes their (or a third party's) commercial interests under the following conditions:

  • The processing isn’t required by law, but there’s a clear benefit to it;
  • There is little risk of the processing infringing on data subjects’ privacy; and
  • The data subject should reasonably expect their data to be used in that way.

Unlike other more obvious lawful bases, the flexibility of legitimate interests requires organizations to justify the reasoning in their ducumentation, otherwise, data subjects are able to object to the processing and can require you to remove their records via a data subject access request (DSAR).

Given the risks and the potential damages of unlawful data collection under the GDPR, you might not want to put your documentation up for scrunity incase data subjects disagree with your justification for legitimate interest. It's therefore advised to weigh your options, balance your own interests and the interests of your data subjects, and think thoroughly about the reasonings for your purposes of data processing.

Legitimate interests and marketing

Marketing is one of the main reasons organizations collect personal data, but it's gotten a lot trickier to obtain and maintain under the GDPR, which allow for few options for storing personal data for marketing purposes. How do you justify your legitimate interests? As with so many things related to the GDPR, it depends on the circumstances.

In the recital of 47 of the GDPR - Overridng Legitimate Interest states:

The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.

The keyword here is "may". Ultimately you need to decide whether the benefits that come with your data collection outweigh the interests or fundamental rights and freedoms of the data subject. The fundamental questions you might want to ask yourself are:

  • Is legitimate interest the most appropriate lawful basis for your reasoning?
  • Does the data subject's interests outweigh your defined legitimate interest?

So what count as "legitimate"?

As mentioned earlier, a wide range of interests may be coonsidered "legitimate". It could be your legitimate interest to grow your business, or it could be other legitimate interests of any third party, which doesn’t just refer to other organizations, but could also be a third party individual. The legitimate interests of the public in general can also play a part when deciding whether the legitimate interests in the data processing override the individual’s interests and rights. If the processing has a wider public interest for society at large, then this may add weight to your interests when balancing these against those of the individual.

However, do take into account that showing you have a legitimate interest does mean that you (or a third party) must have some clear and specific benefit or outcome in mind - it's not enough to rely on vague or generic business interests. You must think about what in particular you are trying to achieve with the processing operation.

Whilst any purpose could potentially be relevant, the purpose of your data processing must also be ethical and lawful. For instance, even though marketing may be a legitimate purpose, sending spam emails in breach of direct electronic marketing rules doesn't constitute as legitimate.

How to balance legitimate interests with data subject's interests

In the recital of 75 of the GDPR - Risks to the Rights and Freedoms of Natural Persons begins with:

The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage [...]

It makes clear that a risk to individuals’ rights and freedoms is about the potential for impact on them, including physical, financial or any other impact, such as:

  • inability to exercise rights (including data protection rights);
  • loss of control over the use of personal data; or
  • any social or economic disadvantage.

Howver, even when a processing might have a negative impact on the individual, this doesn't mean that their interests automatically override yours. This depends on the severity of the impact, and whether it's warranted in light of your purpose. Of course, your interests do not always have to be in harmony with those of the data subjects, and if you have a more compelling interest, it may justify some impact on them.

How to assess "reasonable expectations"

In the recital of 47 of the GDPR - Overridng Legitimate Interest states:

The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing.

Ultimately, you need to assess whether the individual can reasonably expect the processing, taking into account in particular when and how the data was collected. One of the factors that may affect what individuals reasonably expect is what you tell them in your privacy information. If you include clear information about your processing, they are more likely to expect that processing. Other factors that might also affect the reasonable expectations of individuals include:

  • how long ago you collected the data;
  • the source of the data;
  • the precise nature of any existing relationship with the individual and how you have used their data in the past; and
  • whether you are using a new technology or processing data in a new way that individuals might not have anticipated – or conversely whether there are any developments in technology or updates to services which individuals might have come to expect.

Although reasonable expectations is an important factor, simply having warned the individual in advance that their data will be processed in a certain way doesn't necessarily mean that your legitimate interests always prevail, irrespective of possible harm, particularly those outlined in recital 75.

DISCLAIMER: The contents of this website are intended to convey general information only and not to provide legal advice or opinions. The information presented on this website may not reflect the most current legal developments. An attorney should be contacted for advice on specific legal issues. The implementation of a data protection law compliant Consent Management Platform (CMP) is ultimately at the discretion of the respective data protection officer (DPO) or legal department.