On May 25th of 2018, the General Data Protection Regulation (GDPR) ushered in a new era of data privacy on the internet. One of the many challenges it presents to businesses is the lawful processing of user data.
According to Article 6 of the GDPR, there are six grounds on which personal data can be obtained and processed for the practices to be GDPR-compliant.
The six permissible bases for lawful processing are:
- Consent of the data subject
- For fulfillment of a contract
- Legal compliance
- To protect the vital interests of the data subject
- Necessity for carrying out a task that is in the public interest
- Necessity for the purposes of legitimate interests of the data controller or third party
To learn more about processing based on consent of the data subject, check out our comprehensive guide to GDPR consent.
This article will cover the comparatively nebulous sixth point in the above list, walking you through the meaning of data protection legitimate interests according to the GDPR, along with some real-life examples and questions you can ask yourself to determine if processing based on legitimate interests applies to you.
1. What is GDPR Legitimate Interest?
GDPR legitimate interest is any relevant interests that provide a benefit to a party involved in the processing of data. Such parties may be individual, commercial, or even societal interests — and include yours, as site owner and data processor.
Put simply, a legitimate interest is something that serves to your benefit.
Article 6(1)(f) of the GDPR says:
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
While processing data on the basis of legitimate interests may seem to be a convenient catch-all for a wide range of situations, it is essential to keep in mind that the rights of data subjects reign supreme under the GDPR and cannot be violated in the name of legitimate interests.
Furthermore, you as the business owner assume responsibility when choosing to process data on the grounds of legitimate interests under the GDPR. The onus is on you to ensure that user privacy is maintained to the greatest possible extent, and that the data in question is handled in ways users might reasonably expect.
The UK’s Information Commissioner’s Office (ICO) has provided a useful guide to data processing on the grounds of legitimate interests that suggests the following three-part test to check if legitimate interest applies in a given situation:
- Purpose test — identify that there exists a legitimate interest on which data should be processed
- Necessity test — show that processing the data is necessary to achieve the stated purpose
- Balancing test — demonstrate that such a legitimate interest does not violate the rights or interests of the data subject
Surprisingly, determining the relevance of a legitimate interest may be the trickiest part of this whole process, so we’ve compiled a number of examples below that can help guide your understanding of what kinds of situations you may be able to apply the basis of legitimate interests to and why.
Our GDPR meaning guide simplifies the key concepts of this strict new privacy law and explains the most important compliance requirements for your business.
2. When to Base Data Processing on GDPR Legitimate Interests
The text of the GDPR itself suggests a number of potential situations under which legitimate interest might be invoked. These include:
- Fraud detection and crime prevention
- Network and information security
- Processing employee or client data
- Direct marketing
Fraud Detection and Crime Prevention
In what is a relatively easy sell — all things considered — processing under legitimate interests for the purposes of fraud detection and crime prevention usually passes the purpose test with ease, leaving only the necessity and balancing tests to be considered for a specific case.
Verifying the identities and registered addresses of users who purchase goods or services by credit card over the internet is one example where data protection legitimate interests might be applied for the purpose of fraud detection.
Network and Information Security
Recital 49 of the GDPR states that an overriding legitimate interest is:
the processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security.
Since all business owners must diligently monitor and protect the health of their platforms, processing personal data on the grounds of legitimate interests can often be necessary to prevent unauthorized access of a network, or for the investigation of data breaches.
Recital 49 also directly mentions the cases of preventing the distribution of malicious code, and stopping distributed denial-of-service (DDoS) attacks.
Processing Employee or Client Data
This possible situation involving legitimate interests springs from a line in Recital 47, which states that:
Such legitimate interests could exist, for example, when there is a relevant and appropriate relationship between the data subject and the controller in situations, such as where the data subject is a client or in the service of the controller.
Employment data processing covers a number of areas necessary for any business with employees, such as:
- Background checks
- Emergency management
- Recordings of customer service calls for the purpose of quality management
Meanwhile, client data might include the information necessary to provide the service in question — from business consulting to investment portfolio modeling. Any sector that relies on data to produce analytics or business intelligence reports also might need to process data on the basis of legitimate interests.
Again from Recital 47, this situation comes from the rather vague statement:
The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.
Direct marketing has traditionally benefited from personalization and individually-tailored recommendations, so it is still conceivable that users would like to enjoy the benefits of such services, assuming the data processing doesn’t substantially impact their privacy.
Just remember that according to the language of the GDPR itself, direct marketing may constitute a legitimate interest. Therefore, it is vital to carry out the aforementioned three-part test — especially the balancing test — to cover your bases, in case your application of legitimate interests ever winds up in question.
Keep in mind that some data processing activities for marketing – liking sending marketing emails – will almost always need to be based on user consent. Luckily, there are myriad GDPR consent form tools and resources that can make getting user consent to marketing outreach easy.
Legitimate interests under the GDPR also applies in the case of suppression lists, notably for those individuals who have asked to be removed from a marketing list entirely. In such a case, storing a minimal amount of personal data, such as a private email, is a relevant way to ensure that the individual in question will not be contacted against their expressed wishes.
3. Does Processing Based on GDPR Legitimate Interests Apply to You?
Now that you have a better understanding of what legitimate interests are under the GDPR, the next step is to figure out if data processing on the grounds of legitimate interests is the right strategy for you.
Here are some questions you can ask yourself before deciding to process data based on legitimate interests:
Is legitimate interests the most appropriate basis on which to process user data?
As mentioned previously, consider the three-part test to ensure that:
- There exists a legitimate interest
- The processing of data is necessary to achieve it
- The rights and interests of data subjects are properly considered and upheld
Will the data be processed in a way that would meet the reasonable expectations of users?
According to the GDPR, data subjects have the right to be in control of their personal data and the ways in which it is used. As a result, processing data in ways that users might not expect could violate the GDPR by virtue of not making their rights to their data expressly clear.
GDPR Consent vs Legitimate Interest
To process data based on legitimate interests, you need to meet the necessity thresholds established by the GDPR.
Processing based on consent, on the other hand, only requires you to obtain affirmative opt-in consent from the data subject—no processing necessity needs to be determined.
If you’re processing data and aren’t sure that your purposes meet the legitimate interests necessity standards, getting consent is the safer option for GDPR compliance.
In the end, there is no one-size-fits-all method for ensuring satisfactory compliance with the GDPR’s legitimate interests clause. But the strategies outlined above — especially the three-part test — make it much more likely that processing data on the grounds of legitimate interests is appropriate for a given situation.