What is GDPR legitimate interest?
In what situations can a company use legitimate interest to process personal data without getting the consent of the data subject?
Does legitimate interest have to be disclosed in the privacy information?
In this article, we will break down the concept of legitimate interest under GDPR.
We will define what it is, we will look at the legitimate interest test to see if you can use it as a lawful basis to process personal data, we will give you guidance on how to assess your legitimate interest, consider sanctions and more.
Are you ready?
Let’s get started!
Table of Contents
What is GDPR legitimate interest?
Legitimate interest is one of six lawful basis companies can rely on to lawfully process personal data.
Article 6 GDPR outlines the six lawful basis for processing personal data as follows:
- Processing based on data subject’s consent
- Processing to render obligations under a contract or enter into a contract with the data subject
- Processing to respect a legal obligation
- Processing for the vital interest of the data subject
- Processing for the public interest
- Processing based on the data controller or processor’s legitimate interest
For companies, legitimate interest may be a lawful basis that many may invoke to justify their data processing activities.
Generally, a legitimate interest can be a suitable ground when the data processing activities have minimal privacy impact on the data subject and the manner a company intends to use personal data is reasonably expected.
Out of the six lawful basis of processing, legitimate interest may appear to be the most flexible option for justifying data processing activities.
Legal components of legitimate interests
Article 6 GPDR specifically states that the data processing will be considered lawful if:
“processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child”
The concept of GDPR legitimate interest can be broken down into three components:
- The controller or processor’s legitimate interest
- The necessity to process data to achieve the legitimate interest
- The weighing of the legitimate interest and the data subject’s rights and freedoms
GDPR legitimate interest test
Based on the three legitimate interest components, the evaluation of a company’s data processing operations based on legitimate interest will need to pass the following three-tier legitimate interest test:
- Purpose test
- Necessity test
- Balancing test
Let’s look at each.
Purpose test: legitimate interest
The purpose test is to demonstrate that the company has a legitimate interest.
The data controller or data processor’s legitimate interest can be anything as long as a company can justify that it’s in their interest to process data to achieve that interest.
You can have:
- Use of client data
- Use of employee data
- Prevention of fraud
- Intra-group transfers
- Commercial interests
- Operational interests
- Management interests
- Social interests
- Safety interests
- IT security
The list can be endless.
What’s important is that the purpose of the legitimate interest must be important to the organization.
Necessity test: the necessity of processing
The necessity test requires that a company demonstrate a real necessity to process personal data to achieve the purpose of the legitimate interest.
To process personal data based on the lawful basis of legitimate interest, demonstrating necessity is essential.
There must be no other reasonable way for a company to achieve its legitimate interest other than processing personal data the way they intend to do so.
If other ways of achieving the legitimate purpose are possible and the other methods may require less intrusion to an individual’s personal data, that other method must be leveraged.
Companies may sometimes confuse the notion of necessity.
Processing data may be necessary to achieve a purpose or processing data may be necessary because you chose a specific purpose.
Although these are closely related, they are not the same.
The notion of necessity under GDPR requires that the ‘selection’ of the objective or ‘purpose’ be necessary not the actual necessity to actually use the data to process it.
Balancing test: data subject’s rights and freedoms
To complete the legitimate interest legal evaluation, a company must assess the balance between its own legitimate interest and the data subject’s rights and freedom.
If the company’s legitimate interest overrides the data subject’s rights and freedom, then GDPR will recognize the legitimate interest and consider the data processing to be lawful.
In evaluating the data subject’s rights and freedoms, companies must remain mindful of the potential adverse consequences, damages or harm on the data subject.
The more the data processing operations impose a risk on the data subject, the more the data subject’s rights and freedoms may override the organization’s legitimate interest.
What are the individual interests, rights and freedoms?
GDPR says that a company cannot use legitimate interests if the data subject’s interests, rights and freedoms override the company’s legitimate interest.
What does that mean exactly?
The notion of ‘interest’, ‘rights’ and ‘freedoms’
The notion of ‘interest’, ‘rights’ and ‘freedoms’ is broad and can mean different things in different situations.
At the end of the day, this will come down to justifying the benefits and risks to the data subject.
In some cases, pursuing legitimate interest can have a clear benefit to the data subject with little or no harm.
We can consider that in such a scenario, the data subject’s interest, rights and freedoms may not override the company’s legitimate interests.
In other cases, you may have a neutral benefit to the data subject but a significant risk of harm, damage or other adverse consequence on the data subject.
That’s when you need to carefully think about your data processing operations.
Interests, rights and freedoms defined in GDPR recitals
Recital 75 GDPR provides some additional clues as to what GDPR considers to affect a data subject’s interests, rights and freedoms:
“The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage”
Physical, material and non-material are different aspects of evaluating harm or adverse consequences on data subjects.
Recital 75 GDPR provides specific examples of what can constitute physical, material or non-material damage as follows:
“where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage”
“where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data”
“where personal data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, data concerning health or data concerning sex life or criminal convictions and offences or related security measures”
“where personal aspects are evaluated, in particular analysing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles”
“where personal data of vulnerable natural persons, in particular of children, are processed”
“where processing involves a large amount of personal data and affects a large number of data subjects.”
As you can see, the notion of data subject interests, rights and freedoms will be interpreted broadly.
Factors like financial damages, reputation, economic and social disadvantages are some of the notable examples provided by GDPR.
What is considered to be reasonably expected by a data subject?
The objective GDPR is to provide data subjects with sufficient protection over their personal data and particularly to empower them so they have control over their data.
If a company intends to use legitimate interest as a basis to process personal data and avoid getting the consent of the data subject, GDPR requires that the objective be legitimate and necessary for the organization and not override the data subject’s interest, rights and freedoms.
Recital 47 GDPR provides additional insights as to the interplay between legitimate interest and the data subject’s expectations:
“At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing.”
To determine if a data subject reasonably expects the data processing, a company must look at it as objectively as possible.
Will any reasonable person in the same circumstances expect that personal data processing may take place for the legitimate purpose invoked by the company?
If a company can find objective, sincere and legitimate reasons to justify the processing of personal data, then the pursuit of legitimate purpose as a lawful basis may be successful.
Relationship with the data subject and legitimate purpose
The nature of the relationship between the data subject and the company can play a factor in the assessment of whether or not the lawful basis of legitimate interest can be pursued by the organization.
The idea is that it may be easier to justify legitimate interest when you already have a relationship with the data subject such as a client or employee.
Conversely, if you do not have an existing relationship with a data subject, arguing legitimate interest may be more difficult as, particularly, it may be difficult to claim that the data subject had a reasonable expectation.
Factors affecting the data subject’s reasonable expectation
The evaluation of the ‘reasonable expectation’ of a data subject is an objective one.
Will a person, in the same circumstances, reasonably expect that a company use their personal data as they claim the necessity to do so based on legitimate interest?
GDPR does not define what is a data subject’s reasonable expectation although Recitals 47 and 75 give us interpretation clues.
May factors can affect a data subject’s reasonable expectation such as:
- Risks to the data subject
- Financial loss
- Economic disadvantage
- Social disadvantage
- Sex life
- Criminal convictions
- Performance at work
- Personal preferences
- Personal interests
- Reliability of the person
- Behaviour of the person
- Source of data
- Duration of data processing
Privacy information and legitimate interest statement
Companies are obligated, under GDPR, to provide privacy information to data subjects as part of the data subject’s right to be informed.
The privacy information contains information about the company, its processing activities, reasons why personal data may be collected along with what will be done with the personal data.
Article 13(1)(d) GDPR states that a company must provide privacy information “where the processing is based on (…) the legitimate interests pursued by the controller or by a third party”.
If a company provides sufficient information about its legitimate purpose through its privacy notice, that can demonstrate or help substantiate the fact that the data subject could have had a reasonable expectation that data may be processed for the legitimate purpose.
By providing information about the possible data processing operations, companies may have a better chance of successfully passing the three-tier legitimate interest test.
The legitimate interest of data controllers
Data controllers and data processors may have a legitimate interest to process personal data.
Legitimate interest is one of the six lawful grounds companies can invoke to justify the processing of personal data without having to get the consent of a data subject.
What are the legitimate interests of a data controller?
Recitals 47, 48, 49 and 50 of GDPR provide guidance as to what can be considered a data controller or data processor legitimate interest.
“Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller.”
“The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned.”
“The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”
“Controllers that are part of a group of undertakings or institutions affiliated to a central body may have a legitimate interest in transmitting personal data within the group of undertakings for internal administrative purposes, including the processing of clients’ or employees’ personal data.”
“The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned.”
“Indicating possible criminal acts or threats to public security by the controller and transmitting the relevant personal data in individual cases or in several cases relating to the same criminal act or threats to public security to a competent authority should be regarded as being in the legitimate interest pursued by the controller.”
GDPR names certain scenarios and explicitly indicates that such cases may give rise to a data controller’s legitimate interest.
There may be more instances when a data controller can invoke legitimate interest.
The list can be endless.
Examples of legitimate interest
What are some concrete examples of legitimate interest that companies can use to justify their data processing operations?
Legitimate interest employee data
One example is legitimate interest of employment data processing.
Companies have a legitimate purpose to process personal data, not necessary for the performance of employment obligations, but necessary to manage employees.
Such examples are:
- Background checks
- Office access
- Internal company directories
- Business conduct
- Compliance with policies
- Employee retention programs
- Headcount management and forecasting
- Travel administration
- Time reporting
- Family member’s data for HR records
- CCTV images to defend claims
Legitime interest corporate operations
Another example is legitimate interests for general corporate operations and due diligence.
Companies must run their business and make strategic decisions to grow their business.
Managing customers, vendors, partner relationship information are business intelligence with internal stakeholders is crucial to plan, budget and allocate business resources to projects and activities.
Companies may have a legitimate interest when:
- Modelling financial and risk scenarios
- Assessing customers
- Reporting to management ane executives
- Sharing information with related entities
- Handling back-office operations
- Processing personal data for M&A activities
- Processing personal data for due diligence
- Corporate reorganizations
- General business intelligence
Legitimate interest marketing
Another example where companies may have a legitimate interest is with respect to communications and marketing.
In the following instances, legitimate interest may be invoked in B2B scenarios:
- Communication with customers
- Personalization of services to customers
- Direct marketing related to company’s products and services
- Targeted advertising
- Analytics and profiling for business intelligence to create reports
- Ad performance and conversation tracking
- Audience measurement
- B2B marketing
Other examples of legitimate interest can include:
- Fraud detection and prevention
- Compliance with court orders
- Compliance with self-regulatory schemes
- Network security
- Industry watch-lists
- Product development
- Product enhancement
When to process data based on legitimate interest?
Legitimate interest under GDPR can be used as a lawful basis to process personal data when the company can demonstrate a genuine purpose, the necessity and demonstrate that there are no other less intrusive means of achieving that purpose.
Often, legitimate interest may be suitable in the following scenarios:
- Personal data used is not sensitive
- There is little to no negative impact on the data subject
- The use of personal data is proportionate
- The processing operation is reasonable expected
- The data subject may not want to object to the processing
Legitimate interest and the e-Privacy Directive
The e-Privacy Directive governs privacy rights on electronic communications.
In a nutshell, the e-Privacy Directive covers the following aspects:
- Marketing calls
- Marketing text messages
- Marketing emails
- Use of tracking technologies about people accessing a website
- Use of location data
- Use of traffic data
GDPR does not replace the e-Privacy Directive.
The Directive continues to apply to companies operating in electronic communications.
The e-Privacy Directives does not necessarily need to involve personal information either.
As such, for any electronic activities subject to the e-Privacy Directive, companies must not only observe the e-Privacy Directive but also GDPR.
How does this tie with legitimate interest?
Well, a company can rely on legitimate interest and avoid getting the actual consent of a data subject if consent is not required under the e-Privacy Directive.
Legitimate interest to transfer data to a third party
Article 6 GDPR states that legitimate interest can be invoked when “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party”.
This means that you can use the lawful basis of legitimate interest to transfer data to a third party.
If a company has a necessity to transfer data to a third party to reasonably pursue their legitimate objective, GDPR can recognize that.
The organization must be able to demonstrate:
- Who is the third party
- Why do they need to get data
- What type of data do they need
- Can the processing objective be achieved without going to the third party
- Processing will be reasonably expected by the data subject
- Can the processing cause any harm to the data subject
If the organization comes to the conclusion that transferring the personal data a third party passes the purpose test, necessity test and balance test, the data processing operation can be pursued.
Keep in mind that the third party can be either an organization or an individual.
Legitimate interest assessment
Companies must satisfy the requirements of legitimate interest as a lawful basis for processing personal data without having to get a data subject’s consent.
The three components of legitimate interest are:
- The legitimate interest
- The necessity
- Any overriding data subject rights and freedoms
To assess whether or not you can rely on legitimate interests to justify your data processing activities, you’ll need to perform a legitimate interest assessment.
The legitimate interest assessment will help you walk through the three components of the legitimate interest basis and document your decision-making process.
Here are some legitimate interest assessment questions you should consider:
- What is the purpose of the data processing operation?
- What’s the objective of the data processing operation?
- Is the legitimate interest an important one or is it trivial?
- Can the company do without the data processing operation?
- Will the data processing activity be lawful?
- Will the data processing activity be fair to the data subject?
- Can the legitimate interest be achieved another way?
- Can the legitimate interest be achieved in a less intrusive way?
- What is the nature of the company’s relationship with the data subject?
- Will the company process special categories of data?
- What’s the possible risk to the data subject?
- Can the data subject be negatively impacted?
- Will the data subject object if they find out?
- Will the data subject reasonably expect it?
- Is the data processing operation safe?
- Are there security measures and safeguards in place?
Depending on the answers to these questions, a company can get a good sense of the likelihood of them successfully relying on legitimate interest as a lawful basis for processing personal data.
Sanctions for not disclosing legitime interest
Article 83 GDPR empowers the supervisory authorities to issue administrative fines in the event of non-compliance or the infringement of GDPR.
Depending on the nature of the infringement, GDPR classifies it in two categories.
One category is for serious infringement to GDPR whereby the fines can reach the greater of €20,000,000 or 4% of a company’s global annual turnover.
The other category is for less serious infringement cases where fines can reach the greater of €10,000,000 or 2% of a company’s global annual turnover.
The violation of Article 6 GDPR having to do with the lawful basis for processing personal data is a serious breach under GDPR (Article 83(5)(a) GDPR) exposing a company to the greater of €20,000,000 or 4% of a company’s global annual turnover.
Failure to provide the privacy disclosure with respect to the legitimate interest of an organization to process personal data as required by Article 13 GDPR is also considered a serious breach of GDPR (Article 83(5)(b) GDPR) and as such will expose a company to the greater of €20,000,000 or 4% of a company’s global annual turnover.
Frequently Asked Questions
What is legitimate interest under GDPR?
Legitimate interest is one of six lawful basis companies can rely on to lawfully process personal data as outlined in Article 6 GDPR. GDPR states that a company can process personal data if the “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child”.
When can I use legitimate interest?
You may use legitimate interest when you are processing non-sensitive data, when the processing is reasonably expected by the data subject and when there is no harm to the data subject or their interests, rights and freedoms do not override your legitimate interest. Legitimate interest is a flexible lawful basis for processing personal data and companies have a tendency to prefer this ground when it’s possible.
Does legitimate interest apply to email?
When emailing data subjects, if it’s for marketing purposes, you will need to comply with GDPR and the e-Privacy Directive. You can invoke legitimate interests to the extent you are sending information about related products and services they’ve purchased. GDPR Recital 47 states that legitimate interest may exist “where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. You can also send email marketing if it was solicited by the data subject.