What is legitimate interests?
In order for your organisation to process individuals’ personal data, you must have a lawful basis (or bases). One of these bases is legitimate interests, which the Information Commissioner’s Office (ICO) defines as:
‘[Data processing which] is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.’
Out of the six lawful bases, legitimate interests is the most flexible, yet that does not mean that it is the most appropriate. It is likely to be most appropriate when you use people’s data in ways they would reasonably expect and have a minimal privacy impact, or where there is a compelling justification for the processing.
If you choose to rely on legitimate interests, you are taking on extra responsibility for considering and protecting people’s rights and interests. The legitimate interests can be your own interests or the interests of third parties—a wide range of interests may be legitimate interests. The GDPR specifically mentions use of client or employee data, marketing, fraud prevention, intra-group transfers, or IT security as potential legitimate interests, but this is not an exhaustive list. If you don’t need consent under the Privacy and Electronic Communications Regulations (PECR), you can rely on legitimate interests for marketing activities if you can show that how you use people’s data is proportionate, has a minimal privacy impact, and that people would not be surprised or likely to object. See the ICO’s guide to PECR for more information on when you need consent for electronic marketing.
Before you decide that legitimate interests is the most applicable basis, complete a legitimate interests assessment (LIA). An LIA is a type of risk assessment based on the specific context and circumstances that will help you ensure that your processing is lawful. LIAs can be broken down into a three-part test:
- Purpose test: Are you pursuing a legitimate interest?
- Necessity test: Is the processing necessary for that purpose?
- Balancing test: Do the individual’s interests override the legitimate interest?
Complete the three-part LIA checklist and the general considerations checklist below to determine whether you can rely on the legitimate interests clause to process personal data under the GDPR.
Once you have undertaken the three-part LIA, be sure to keep a record of it and the outcome. There is no standard format for this, but it’s important to record your thinking to help show you have proper decision-making processes in place and to justify the outcome.
Keep your LIA under review and refresh it if there is a significant change in the purpose, nature or context of the processing.
If you are not sure about the outcome of the balancing test, it may be safer to look for another lawful basis. Legitimate interests will often not be the most appropriate basis for processing that is unexpected or high risk. If you do rely on legitimate interests to process data, remember that you must tell people in your privacy notice that you are relying on legitimate interests and explain what those interests are.
If you want to process the personal data for a new purpose, you may be able to continue processing under legitimate interests as long as your new purpose is compatible with your original purpose. In this case, the ICO still recommends that you conduct a new LIA, as this will help you demonstrate compatibility.
If you rely on legitimate interests for direct marketing, the right to object is absolute and you must stop processing when someone objects.
This checklist is of general interest and is not intended to apply to specific circumstances. It does not purport to be a comprehensive analysis of all matters relevant to its subject matter. The content should not, therefore, be regarded as constituting legal advice and not be relied upon as such. In relation to any particular problem which they may have, readers are advised to seek specific advice. Further, the law may have changed since first publication and the reader is cautioned accordingly.
Contains public sector information published by the ICO and licensed under the Open Government Licence v3.0.