While consent is often the key to data processing under the GDPR, it's certainly not the only option. You can instead process personal data when doing so comes under your "legitimate interests."
- 1. Lawful Bases
- 1.1. Legitimate Interests Versus Vital Interests
- 1.2. The Meaning of Legitimate Interests
- 1.3. 'Overriding'
- 1.4. Legitimate Interests Assessment
- 1.5. Examples and Exceptions
- 2.1. What Data You Process
- 2.2. The Purpose for Using it
- 2.3. How Long You Will Keep the Data
- 2.4. Your Legal Basis
- 2.5. Legitimate Interests
- 3. Data Subject Rights
- 4. Summary
The GDPR covers the ways you can process personal data, emphasizing that:
- The GDPR applies if the data subject (the person the data is about), the data controller (who decides what data to process and how) or the processing itself is in an EU country
- Personal data is information about an identifiable individual
- Processing is any use of the data, including collecting, disclosure and destruction
Article 6 of the GDPR sets out a simple and fundamental principle: You can only process personal data if at least one of six lawful bases apply.
The first of these, and arguably the best known, is that the data subject has consented to the processing. The next four are:
- The processing is necessary to carry out a contractual obligation
- The processing is necessary to comply with a legal obligation
- The processing is necessary to protect somebody's (usually the data subject's) vital interests
- The processing is necessary to carry out a task in the public interest or to exercise official authority
The sixth basis, known as the "legitimate interests" basis, reads in full:
"processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child."
Legitimate Interests Versus Vital Interests
Make sure not to mix up the fourth basis ("vital interests") and the sixth basis ("legitimate interests"). These deal with different concepts and subjects.
The fourth basis is about the data subject, not the data controller.
"Vital" interests means something essential for the life of the data subject. Put more simply it means a matter of life or death. The most common example would be if a surgeon needed to access medical records of an emergency patient who was unconscious or otherwise unable to give consent.
Generally, you could only rely on the "vital interests" basis if none of the other bases were relevant or appropriate.
The Meaning of Legitimate Interests
The legitimate interests basis often causes confusion as it is arguably the least clear-cut of the six bases. Whether it applies isn't always a 100% objective position. That's because it involves a balance of rights.
In simple terms, legitimate interests means data processing that supports and achieves the aims of your organization.
This could be commercial aims, such as a business; organizational aims, such as a campaign group, or aims that benefit wider society. Legitimate interests could cover your core activity, such as making and selling widgets, or supporting activity such as administration or marketing.
Merely having legitimate interests doesn't automatically qualify as a legal basis under GDPR. Instead, the legitimate interests must override the wider GDPR rights of the data subject, such as privacy.
Two of the key factors that determine whether your legitimate interest can override the data subject's rights are:
- Whether you have a clear and relevant relationship with the data subject, such as them being a customer or supplier
- Whether the data subject would reasonably expect you to carry out the activity using their data. For example, a magazine subscriber would expect you to use their address to send a renewal reminder but would not necessarily expect you to sell their address as part of a mailing list.
Legitimate Interests Assessment
The GDPR puts the burden on the data controller to confirm that their processing does indeed qualify for the legitimate interests basis. While it's not a specifically stated requirement of the GDPR to do so, you should consider carrying out a legitimate interests assessment whenever you plan to rely on this basis.
The Information Commissioner's Office in the United Kingdom suggests the assessment should involve applying a three-parts test. Specifically, you should be able to answer yes to three questions:
- Have you identified a specific legitimate interest that you are pursuing through the data processing?
- Can you show that the processing is necessary to pursue this interest? (The answer is "no" if you can achieve the same result through a method that's less intrusive.)
- Does the legitimate interest you are pursuing balance or outweigh the rights of the data subject under GDPR. (Take into account the impact the action has on them.)
This example from Twin UK shows some of the more detailed questions that can help assess these three main points:
Note that some data is classed as "special category data" under Article 9 of the GDPR.
Examples include data about ethnic origin, data about political or religious beliefs, biometric data and health data. The potentially serious impact on the data subject means you should take extra care and require a higher burden of proof before relying on the legitimate interests basis to process special category data.
Examples and Exceptions
Data processing by public authorities performing their tasks cannot come under the legitimate interests basis. This is because such processing should only happen under a legal authority, which means it will come under the fifth GDPR basis.
Remember that the "legitimate interests" basis can only apply where no other GDPR basis is relevant.
Recital 47 of the GDPR specifically states that processing data for "preventing fraud" counts as a legitimate interest. Remember that data subjects still have the right to know if you are using automated decision making (such as a fraud check) and to ask for a manual review of the decision.
You may need to review how using the "legitimate interests" basis for fraud prevention processing interacts with other elements of the GDPR. For example, you may need to override the usual data subject right to ask that their data be deleted if doing so would make it harder to spot fraudulent activity.
Transferring data between different controllers who are part of a "group of undertakings" for "internal administrative purposes" will usually count as legitimate interests. A group of undertakings means one organization or business that controls one or more other organizations or businesses. This control could be based on legal ownership, financial arrangements or other rules.
Processing personal data for direct marketing can be classed as meeting "legitimate interests" but has an important exemption from the usual rules about opt-out requests. If a data subject asks you to stop processing their data for direct marketing purposes, you must do so immediately. This is an absolute right of the data subject.
Processing personal data to protect network and data security is a legitimate interest and will normally override the data subject's rights.
When it comes to the GDPR, Privacy Policies aren't just about consent. You'll need to include information about personal data that you process using legitimate interests as your legal basis.
Some information needs to appear in all Privacy Policies designed to meet GDPR requirements, regardless of what data you process. This includes:
- Your identity and contact details and those of your data protection officer
- The user's right to complain to you or to the relevant supervisory authority. It's best to include the authority's contact details
- Whether you use any automated decision-making, including data profiling
- Whether providing the data is a contractual or legal requirement and what would happen if the user refuses to provide it
You also need to include some specific details about the data you process. If you process different data in different circumstances, you could use a list or a chart covering the different scenarios. However, it must be clear to the individual exactly which details apply to their personal data.
The details to include are as follows.
What Data You Process
You can list categories or types of data, but these must be specific enough to be informative.
The Atlantic strikes a good balance by using categories and then adding examples for each:
The Purpose for Using it
Remember that each purpose is treated individually when considering legal bases, even when processing the same data. For example, using addresses for a mailing list could qualify for the legitimate interests basis. Selling the address to a marketing company would usually not and would instead require a separate legal basis such as consent.
How Long You Will Keep the Data
If you don't know how long you will retain it, say how you'll decide how long.
Nestle gives a clear summary along with a link to more details:
Your Legal Basis
You must tell the data subject that you are relying on the legitimate interest basis. While it's OK to refer to the relevant part (Article 6) of the GDPR, be clear to use the words "legitimate interests" or even better something like "the processing is necessary for our legitimate interests."
Don't simply refer to "legal basis 1(f)" as this isn't clear or useful enough for the reader.
Farewill uses clear language to connect a specific use of data with a specific lawful basis:
Summarize the specific legitimate interests on which you are relying, for example "to promote our products to customers" or "to target our marketing demographically."
This meets the general requirement to keep the user informed so they can better make decisions such as whether to use your services or to object to processing.
The Financial Times gives a clear example of a legitimate interest:
Data Subject Rights
Detail how they can make such an objection and the key points of how this will work, namely:
- The right to object is not usually absolute
- If the data subject objects, you can only carry on processing data if you demonstrate compelling legitimate grounds to override the specific details of the objection
- The right to object is absolute with direct marketing and you will stop the data processing immediately if the data subject objects
CMS Law makes the right to object clear:
You can also note that, unlike with processing based on consent, the data subject does not have the right to data portability (getting a copy of the data to take elsewhere) if your legal basis for processing is legitimate interests.
Let's recap what you need to know about the GDPR and legitimate interests.
- If the GDPR applies, processing personal data is only lawful if at least one of six legal bases applies.
- Consent is the best known basis, but the list also includes processing for legitimate interests.
- A legitimate interest usually means something that achieves or supports your organization's main aims.
- The legitimate interest must override the data subject's rights. This usually requires that you have a relevant relationship with them and they would reasonably expect you to process the data in this particular way.
You can carry out a legitimate interests assessment. One way is to check that you meet three conditions:
- You've identified a specific legitimate interest
- Processing the data is the only way to pursue this interest
- The interest outweighs the data subject's rights
- You'll need a higher degree of certainty that the legitimate interests basis is appropriate if you are processing sensitive data such as ethnic origin or health information.
- Preventing fraud, transferring data between related companies, direct marketing, and protecting network security will all usually count as legitimate interests.
- If a data subject objects to processing for direct marketing, you must stop immediately.
- List your contact details and those of the relevant supervisory authority. You should also say if you use automated decision-making and whether providing the data is legally or contractually required.
- Detail the data you process, the purpose for doing so, and how long you'll keep it.
- Say that you are using the legitimate interests basis and explain what those interests are.
- Tell the user about their right to object to data processing.