The General Data Protection Regulation (GDPR) outlines six legal bases for collecting and processing personal information, one of which is legitimate interest.
Below, I describe what legitimate interest is under the GDPR, how it works, and when to use it, and I provide examples to help your business better understand this legal requirement.
- What Is Legitimate Interest Under GDPR?
- How To Declare Legitimate Interests Under the GDPR
- Conducting a GDPR Legitimate Interest Assessment (LIA)
- Examples of Legitimate Interests for Businesses
- Does Processing Based on GDPR Legitimate Interest Apply to You?
- GDPR Consent vs Legitimate Interest
- Summary
What Is Legitimate Interest Under GDPR?
Under the GDPR, legitimate interest is one of the legal bases for processing personal information. It appears in Article 6, Lawfulness of Processing, and states the following:
“Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
Meaning your business can process personal data without obtaining explicit opt-in consent from consumers only if you have a genuine and justifiable reason and no other legal basis can be applied for the given processing activity.
It literally refers to any interest that benefits one or more parties involved in the data processing, and it can be personal, commercial, or even societal.
For example, entities might use it to process data to prevent fraud or identify theft or to ensure a security system is functioning properly.
However, the processing cannot infringe upon consumers’ privacy rights.
The goal is to allow businesses to process data in ways that a person might reasonably expect while still balancing and respecting the data subject’s rights, which sounds simple enough.
But in my experience as a privacy professional, this is one of the more complex legal bases because the burden of proof is placed on the business.
If a supervisory authority finds the reasoning insufficient, they could ask you to cease the processing or risk facing fines for noncompliance.
What Is Not Legitimate Interest Under the GDPR?
Article 6 of the GDPR states that data processing can be considered a legitimate interest,
“…except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.”
Meaning the processing cannot be considered a legitimate interest if it impedes upon the rights and freedoms of the people who the personal data belongs to.
Because this is such a broad definition that is subject to interpretation, it makes it more difficult for businesses to legally prove legitimate interest.
How To Declare Legitimate Interests Under the GDPR
To lawfully declare legitimate interests as your lawful basis for data processing, you must inform consumers in your GDPR-compliant privacy policy and clearly describe what those interests are.
You must be as specific as possible about your legitimate interests and how your data processing activities serve users, or else supervisory authorities might deem your reasoning a violation of the law.
Conducting a GDPR Legitimate Interest Assessment (LIA)
To help determine how legitimate interests might apply to your data collecting practices, I’ll walk you through the steps for conducting a GDPR legitimate interest assessment.
A GDPR legitimate interest assessment or LIA is a three-part test that determines if legitimate interest applies to a given data processing situation as recommended by the UK’s Information Commissioner’s Office (ICO).
It contains the following:
- Purpose Test evaluates if you’re pursuing legitimate interests in your data processing.
- Necessity Test shows the data processing is necessary to achieve the stated purpose.
- Balancing Test demonstrates that such a legitimate interest does not violate the rights or interests of the data subjects concerned.
Purpose Test
The Purpose Test intends to identify if you have a legitimate interest in processing data.
To start, identify your purposes for data processing and assess if it qualifies as legitimate interest by asking yourself the following questions:
- Why do you want to process users’ data?
- Who benefits from the data processing, and in what way?
- What would happen if you didn’t go through with the data processing?
- Are you complying with other relevant data privacy laws and industry standards?
- Are there any potential ethical issues with the processing?
- Does the processing impede upon any user rights?
- Is the data subject expecting such processing?
- Does the processing serve an important or beneficial function for society (e.g., fraud prevention, security, research, etc.)?
- Would a data subject consider the processing to be reasonable and proportionate?
A business that prevents financial fraud, for example, might claim they want to process users’ purchasing data to spot possible fraud; this benefits the consumer and can be performed in compliance with privacy laws without impeding any rights.
Make sure you keep track of your answers, as this will make it easier for you to complete your privacy notice (an essential requirement of the GDPR) and prove that your legitimate interest is legally sound, should a privacy audit ever occur.
Necessity Test
The purpose of the Necessity Test is to determine if the data processing is genuinely an essential, unavoidable component to achieve the envisaged legitimate purpose.
To determine this, it helps to answer the following questions and, like with the Purpose Test, keep track of them:
- Will the data processing actually help you achieve your stated purpose?
- Is the level of data processing proportionate to your stated purpose?
- Are there any less intrusive alternatives to achieving your purpose?
- Could the same objective be achieved without processing personal data or by processing less data?
- Is the scope of data processing proportionate to the intended benefit?
- Are there any safeguards that could reduce the need for certain types of processing?
- Does the processing involve sensitive data (special category data) or children’s data? If so, is there a compelling reason for processing?
For example, if you use third-party platforms such as Google Analytics to track traffic and engagement, you may be able to achieve the same analytic purpose by collecting aggregate data rather than the data of individual users.
In that case, the processing would not be necessary, so you shouldn’t use legitimate interest as your lawful basis.
Balancing Test
Finally, the Balancing Test evaluates if consumers’ interests and fundamental rights override your business’s legitimate interests.
To help you determine this, answer the following questions:
- Do you process any type of sensitive personal data?
- Do you process the data of children or minors?
- Would users reasonably expect you to use their data for your stated purposes?
- What impact does your data processing have on individuals?
- Does the processing create risks of harm, distress, or discrimination for individuals?
- Are data subjects likely to object to the processing, and if so, why?
- Have you implemented sufficient safeguards to protect the rights and freedoms of data subjects? (e.g., anonymization, pseudonymization, encryption, opt-outs, transparency measures, etc.)
- Can data subjects easily exercise their rights (e.g., right to object, right to erasure, right to access)?
- Would a reasonable person consider the data processing justified in light of its potential impact?
To help tip balance in your favor and cite legitimate interest for your data processing activities, implement appropriate security measures to protect users’ personal data and be transparent about your data collecting practices.
It’s a best practice to conduct this LIA as necessary so you can show that your legitimate interests are valid according to the GDPR.
Examples of Legitimate Interests for Businesses
According to Recitals 47 and 48 of the GDPR, there are some situations where legitimate interest might be applied, which include:
- Fraud detection and crime prevention
- Network and information security
- Processing employee or client data within a group of undertakings
- Direct marketing
To help you better understand these instances, I’ve compiled some examples below.
Fraud Detection and Crime Prevention
Data processing for the purposes of fraud detection and crime prevention typically passes the purpose test, leaving the necessity and balancing tests to be considered for specific cases.
In this case, you’d need to explain how processing users’ data will directly help in fraud detection and prevention in your compliant privacy policy.
Network and Information Security
According to the introduction of Recital 49 of the GDPR, an overriding legitimate interest is:
“ The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security.”
Since all business owners must diligently monitor and maintain the security of their platforms, processing personal data on the grounds of legitimate interests could be necessary for data breach investigations or to prevent unauthorized access to a network.
Recital 49 also directly mentions the cases of preventing the distribution of malicious code and stopping distributed denial-of-service (DDoS) attacks.
Processing Employee and Client Data
Legitimate interests for processing employee and client data is addressed in Recital 48, which states that:
“Such legitimate interests could exist, for example, when there is a relevant and appropriate relationship between the data subject and the controller in situations…”
Cases where legitimate interest applies for processing employee and client data include:
- Background checks
- Emergency management
- Recordings of customer service calls for the purpose of quality management
A compliant privacy policy, in this case, would include the relevant legal basis for each stated purpose for data processing, such as proper communication with candidates and ensuring the recruitment of the appropriate employee.
Legitimate interest also applies to processing client data, which may be necessary to provide your business services — from business consulting to investment portfolio modeling.
Legitimate Interests in Direct Marketing
According to a portion of Recital 47 of the GDPR,
“…the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”
Email marketing and B2B marketing may be legally valid reasons for data processing as long as these activities are based on legitimate interest or consent, especially when you already have a business relationship with the data subjects concerned.
However, you must check the national legislation in the countries you want to operate as these rules may differ based on additional measures implemented at national level.
If this applies to your business, it must be clearly disclosed in your privacy policy, along with a description of the data subjects’ rights regarding direct marketing under the GDPR.
More specifically, data subjects have the right to remove themselves from direct marketing, and your business must honor these requests, or you risk getting penalized for violating the law.
Employee Monitoring
It’s also possible under the GDPR for employee monitoring to be included as a legitimate interest in very specific situations where a balance is maintained between the business needs and the employee’s privacy rights.
For example, an employer might need to access employee data for the following reasons:
- Protect company assets
- Maintain and upkeep operations
- Ensure compliance with company and legal policies
- Prevent security breaches
- Safeguard intellectual property
All this information should go into a privacy policy that must be presented to the employees.
Debt Collection
Debt collection can also be considered a legitimate interest under the GDPR if the business can demonstrate that the data processing is essential and doesn’t infringe upon any individual’s privacy rights.
However, a company can collect debts owed to them and use personal data to facilitate this process if they can prove the processing is balanced and necessary.
It must also be clearly disclosed and explained in your GDPR compliant privacy notice.
Does Processing Based on GDPR Legitimate Interest Apply to You?
It’s important you pick a legal basis for your data processing that is lawful, applicable, and provable, and the burden of proof is solely up to your business.
To help you determine if data processing based on GDPR legitimate interest does apply to you, I’ve compiled two questions for you to consider.
Is legitimate interests the most appropriate basis for your data processing activities?
If you’re going to cite legitimate interest under the GDPR, you must be able to prove that there are no other more appropriate legal bases for your data processing activities.
Be extra careful here because fines for noncompliance under the GDPR can reach as high as 4% of your gross annual turnover or €20 million ($21 million), whatever is highest.
Will the data be processed in a way that meets users’ reasonable expectations?
It’s also important that your business can prove that your data processing activities are performed in a way that meets the reasonable expectations of your users.
According to the GDPR, data subjects have the right to be in control of their personal data and how it is used.
This means processing data in ways that users don’t expect could violate the GDPR, including if you’re not making users’ rights to their data expressly clear.
You must use clear language in your privacy policy and avoid complex jargon or legalese to ensure users understand how you process their data.
GDPR Consent vs Legitimate Interest
Under the GDPR, you can process personal data without user consent if it’s based on any other legal bases previously mentioned.
However, data processing based on consent is much easier to prove because it requires you to obtain affirmative, opt-in consent from the data subject — you don’t need to determine the necessity behind the processing.
If you process personal data based on consent, you must also provide users with opt-out options so they can retract their consent easily, as required by the GDPR.
You can use resources like a consent management platform (CMP) to help you obtain consent.
Consent solutions also help you more easily prove that you’ve adequately obtained legal consent from data subjects and are providing them with a means for changing their minds at any time.
If you’re processing data and aren’t sure that your purposes meet the legitimate interests’ necessity standards, getting consent is the safest option for GDPR compliance.
Summary
Under the GDPR, processing data based on legitimate interest is a complex process.
Your business should perform a GDPR Legitimate Interest Assessment to determine if your purposes and the processing are necessary, balanced, and in line with the law.
But because this legal basis is subject to varying interpretations and the responsibility of proof is on your business, you must ensure you’re certain when citing legitimate interest in your privacy notice.
More about the author
Written by Teodor Stanciu, CIPP/E, CIPM
Teo is a Data Privacy Specialist and experienced Data Protection Officer (DPO) who is passionate about helping companies meet their data protection obligations. He has an experience of more than seven years as a DPO for an international organization active in 50 countries and based in Brussels, Belgium. Teo is a Certified Information Privacy Professional/Europe (CIPP/E) and Certified Information Privacy Manager (CIPM) with the International Association of Privacy Professionals (IAPP).
More about the author
