“Legitimate interests is the most flexible lawful basis for processing,
but you cannot assume it will always be the most appropriate”
UK Information Commissioner’s Office
Let’s say you want to process personal data for a specific purpose and in this situation obtaining consent would be tricky or perhaps inappropriate.The activity isn’t covered by a contract, and certainly isn’t something which is in the individuals’ vital interests. This looks like a case of legitimate interests doesn’t it?
Just because you want to process personal data doesn’t mean you can – lawfully. Legitimate interests may be, in the words of the ICO “the most flexible lawful basis”, but the words “you cannot assume it will always be the most appropriate”, are equally important. You must make an assessment to balance your business interests with the interests and privacy rights of the people’s whose personal data you are processing. This will require some judgement: is your intended purpose really necessary and is it within the reasonable expectations of those whose personal data you are using?
If so we can move on to the ‘balancing test’. Now, we need to identify and evaluate the privacy rights of the individual and judge if these are affected by the intended processing. For example, people have a right to know how their data will be processed, so how will you inform them? Will you add additional information at the time of collection, or update your privacy notice? Will you enable them to object to this processing?
This balancing test must be conducted fairly, without biasing the scales in favour of your business interests. To ensure fairness, some people find it helpful to put themselves in someone else’s shoes. For example, consider whether your Dad (for instance) would expect this activity to be happening or maybe what your aunt would feel if she found out. Your business may think it’s legitimate, but would the people whose data is being used agree?
Some legitimate interests are fairly clear cut, for example processing for the prevention of fraud or for other strictly necessary reasons. But others require more careful thought and assessment.
What does GDPR say about Legitimate Interests?
Article 6 1(f) states:
‘processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of Personal Data, in particular where the data subject is a child.’
Also take care to read Recital 39 which explains the need for transparency and specifically Recital 47, which explains the requirements to take into consideration reasonable expectations, a relevant and appropriate relationship and the need for a careful assessment. This Recital is important for marketers, as it confirms that direct marketing may be considered to be a legitimate interest.
What makes a purpose legitimate?
Let’s run through the steps. To ensure you are compliantly relying on legitimate interests you need to conduct a 3-stage test; what we at the DPN and the ICO term a Legitimate Interests Assessment (LIA). The 3 core elements of the test are:
1. The assessment of whether a legitimate interest exists (i.e. the purpose is a legitimate one)
2. Confirming the processing is necessary (i.e. there’s no alternative way to achieve the result)
and last but by no means least….
3. The performance of a balancing test to decide if a particular processing operation can rely on legitimate interests.
Be careful not to try and overplay your business interests into this assessment or undermine the rights of individuals. You need to take a holistic approach and properly consider your relationship with the individuals whose data is being used, whether you are being transparent, whether you have enabled individual’s to exercise their lawful rights and that the processing would be within their reasonable expectations.
If your reliance on legitimate interests is challenged you will need to be able to demonstrate that you fully considered the necessity of the processing, balanced this and came to a decision that people’s interests and rights did not override your interests. Conducting and documenting LIAs will show you did this, but remember it is no guarantee your decision will be upheld. Legitimate interests may be the most flexible lawful basis but it is risk-based.
For more information, case studies and an LIA template please see our industry-led Legitimate Interests Guidance, which was first published in July 2017 and now features 30 examples of its use. The ICO has also published detailed guidance.
What next for legitimate interests?
We are still in the early months of GDPR and have only seen limited enforcement by supervisory authorities across Europe under this new law. Challenges are likely to have already been made surrounding legitimate interests, more will come, and any regulatory action in this area will be watched with avid interest.
Philippa Donn, January 2019
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.