On May 25, 2018, the General Data Protection Regulation (GDPR) ushered in a new era of online data privacy. Businesses must follow its requirements for data collection and processing, which include having legally valid reasons for data processing.
Article 6 of the GDPR outlines six lawful bases for data processing:
- Consent of the data subject
- For fulfillment of a contract
- Legal compliance
- To protect the vital interests of the data subject
- Necessity for carrying out a task that is in the public interest
- Necessity for the purposes of legitimate interests of the data controller or third party
This article focuses on the sixth legal basis for data processing: legitimate interest. Let’s go over the definition of legitimate interest under GDPR, legitimate interest examples, and a three-part test to determine whether legitimate interest applies to your data processing.
1. What Is Legitimate Interest Under GDPR?
Legitimate interest under GDPR refers to any interest that provides a benefit to one or more parties involved in the processing of data. Legitimate interests can be personal, commercial, or even societal interests.
For example, if you process data in the interest of your business operations, your activities may fall under GDPR legitimate interests.
What Is Not Legitimate Interest Under the GDPR?
Although most data processing falls under the protection of legitimate interests, there are some exceptions to what counts as a legitimate interest under the GDPR.
Article 6 says that data processing can be considered legitimate interests…
…except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject…
Keep in mind that the rights of data subjects are priorities under the GDPR and cannot be violated in the name of legitimate interests.
Furthermore, you as the business owner assume responsibility when choosing to process data on the grounds of legitimate interest. The onus is on you to ensure that user privacy is protected.
Declaring Legitimate Interests Under GDPR
If you rely on legitimate interests as your lawful basis for data processing, the GDPR requires you to tell users what those legitimate interests are. The best place to display this information is in your GDPR privacy policy.
For example, the Public Library of Science’s privacy policy has a section dedicated to the legal basis for the use of personal data, in which they list their legitimate interests for the processing of user’s data.
Be as specific as possible about your legitimate interests and how your data processing serves users, as the above example shows.
To help determine how legitimate interests might apply to your data collecting practices, you can conduct a GDPR legitimate interest assessment, which we’ll go over below.
2. Conducting a GDPR Legitimate Interest Assessment (LIA)
A GDPR legitimate interest assessment (LIA) is a three-part test that determines if legitimate interest applies to a given data processing situation. LIAs are recommended by the UK’s Information Commissioner’s Office (ICO).
The three-part test consists of the following:
- Purpose test: Evaluate whether you’re pursuing legitimate interests in your data processing.
- Necessity test: Show that processing the data is necessary to achieve the stated purpose.
- Balancing test: Demonstrate that such a legitimate interest does not violate the rights or interests of the data subject
Let’s go over each part of the LIA in more detail.
1. Purpose Test
You need to identify your purpose for data processing and assess whether it counts as a legitimate interest. Ask yourself questions such as:
- Why do I want to process users’ data?
- Who benefits from the data processing and how?
- What would happen if I didn’t go through with the processing?
- Am I complying with other relevant data privacy laws and industry standards?
- Are there any potential ethical issues with the processing?
For example, to determine whether there’s legitimate interest in your B2B marketing or direct marketing, you need to consider its benefits to users and/or third parties, and assess whether you’re processing data lawfully and fairly.
2. Necessity Test
This test determines whether the data processing is actually needed to achieve the intended purpose. Ask yourself:
- Will the data processing actually help achieve my stated purpose?
- Is the level of data processing proportionate to my purpose?
- Are there alternatives to achieve my purpose?
For example, if you use third-party platforms such as Google Analytics to track traffic and engagement, you may be able to achieve the same analytic purpose by collecting aggregate data rather than the data of individual users.
3. Balancing Test
The balancing test is about evaluating whether the data subject’s interests and fundamental rights override your legitimate interests.
You need to strike a balance between your interests and your users’ rights. Consider these questions:
- Do I process any type of sensitive personal data?
- Do I process the data of children or minors?
- Would users reasonably expect me to use their data for my stated purposes?
- What impact does my data processing have on individuals?
Implementing security measures for users’ personal data and being transparent about your data collecting practices could help tip the balance in your favor, allowing you to cite legitimate interest for your data processing activities.
It’s a good practice to conduct the LIA to show that your legitimate interests are valid according to the GDPR.
To help you better understand how this process can be applied in real life, we’ve compiled a number of examples below.
3. Examples of Legitimate Interest for Businesses
The GDPR outlines potential situations for which legitimate interest might be applied. These include:
- Fraud detection and crime prevention
- Network and information security
- Processing employee or client data
- Direct marketing
Fraud Detection and Crime Prevention
Data processing for the purposes of fraud detection and crime prevention usually passes the purpose test, leaving only the necessity and balancing tests to be considered for a specific case.
For example, website hosting platform Jimdo states in their privacy policy that certain user data is stored and sent to a third party for analysis and monitoring to help detect and prevent fraudulent online transactions:
Be sure to explain how processing users’ data will help in fraud detection and prevention, as the example does.
Network and Information Security
Recital 49 of the GDPR states that an overriding legitimate interest is:
the processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security.
Since all business owners must diligently monitor and maintain the security of their platforms, processing personal data on the grounds of legitimate interests could be necessary for data breach investigations, or to prevent unauthorized access to a network.
Processing Employee and Client Data
Legitimate interests for processing employee and client data is addressed in Recital 47, which states that:
Such legitimate interests could exist, for example, when there is a relevant and appropriate relationship between the data subject and the controller in situations…
Cases where legitimate interest applies for processing employee and client data include:
- Background checks
- Emergency management
- Recordings of customer service calls for the purpose of quality management
For example, Accenture’s privacy policy provides the relevant legal basis for each stated purpose for data processing, such as proper communication with candidates, and ensuring the recruitment of the appropriate employee.
Legitimate interest also applies to processing client data, which may be necessary in order to provide your business services — from business consulting to investment portfolio modeling.
Legitimate Interests in Direct Marketing
Email marketing and B2B marketing both may be legally valid reasons for data processing, as long as these activities are based on legitimate interest or consent.
For example, Salesforce’s privacy policy specifies that they process personal data for the legitimate interest of direct marketing, which includes sending marketing emails and promotional information.
Keep in mind that according to the GDPR’s wording, direct marketing may constitute a legitimate interest. Therefore, it is vital to carry out an LIA — especially the balancing test — in case you ever need to defend your legitimate interests.
Legitimate interests under the GDPR also apply in the case of suppression lists, notably for those individuals who have asked to be removed from a marketing list entirely. In such a case, storing a minimal amount of personal data, such as a private email, is a relevant way to ensure that the individual in question will not be contacted against their expressed wishes.
4. Does Processing Based on GDPR Legitimate Interest Apply to You?
Now that you have a better understanding of what GDPR legitimate interests are, the next step is to figure out if data processing on the grounds of legitimate interests is the right strategy for you.
Here are some questions to consider before deciding to process data based on legitimate interests:
Is legitimate interests the most appropriate basis for my data processing activities?
As GDPR legitimate interests must be detailed in your privacy policy and be available for disclosure in case of compliance queries from authorities, this question should be the first one you address.
As mentioned previously, consider the three-part test to ensure that:
- There exists a legitimate interest.
- The processing of data is necessary to achieve it.
- The rights and interests of data subjects are properly considered and upheld.
Will the data be processed in a way that meets the reasonable expectations of users?
According to the GDPR, data subjects have the right to be in control of their personal data and the ways in which it is used. As a result, processing data in ways that users might not expect could violate the GDPR by virtue of not making users’ rights to their data expressly clear.
Therefore, it is especially important to use clear language, and not legalese, in your privacy policy to ensure users understand the ways in which you process their data.
GDPR Consent vs Legitimate Interest
Under the GDPR, you’re allowed to process personal data without user consent if it’s based on any of the other legal bases previously mentioned.
Data processing based on consent, on the other hand, only requires you to obtain affirmative opt-in consent from the data subject — you don’t need to determine the necessity behind processing.
If you’re processing data and aren’t sure that your purposes meet the legitimate interests’ necessity standards, getting consent is the safest option for GDPR compliance.
