GDPR: legitimate reasons for processing information

Legitimate interests is the most flexible lawful basis for processing of personal information, it is also currently quite a grey area so you cannot assume it will always be the most appropriate for your purposes.

It is best used as a lawful basis, where you would use people’s information in a way they would reasonably expect it to be used, and which has a minimal impact on their privacy.

If you choose to rely on legitimate interests, you will need to consider and protect individual’s rights and interests. Consider how you would do this.

Public authorities can only rely on legitimate interests if they are processing for a legitimate reason, other than performing their tasks as a public authority.

What are your legitimate reasons for processing information?

There are three elements to using legitimate interests as a basis for processing. These are:

  • You need to identify the legitimate interest you plan to use,
  • Show that the processing is necessary to achieve it; and
  • Then balance this against the individual’s interests, rights and freedoms.

The legitimate interests can be your own interests or the interests of third parties and can include commercial interests, individual interests or broader social benefits.

Justify your need for using the data

The processing must be necessary. If you can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply. You must take care to balance your interests against those of the individuals whose information you are using. So if they would not expect their information to be used in this way or it would cause them unjustified harm, their interests will override yours.

The GDPR specifically mentions use of client or employee data, marketing, fraud prevention, intra-group transfers, or IT security as potential legitimate interests, but this is not an exhaustive list. It also says that you have a legitimate interest in disclosing information about possible criminal acts or security threats to the authorities.

Invasion of privacy

You can rely on legitimate interests for marketing activities if you can show that how you use people’s data is proportionate, has a minimal privacy impact on the individual and people would not be surprised or likely to object – and if you don’t need consent under the Privacy and Electronic Communication Regulations (PECR).

You may be able to rely on legitimate interests to share personal information with a third party. You will need to demonstrate that any sharing of information is justified and consider why they want the information, whether they actually need it, and what they will do with it. It will be their responsibility to determine their lawful basis for their own processing.

You must include details of your legitimate interests in your privacy notice.

If you are relying on legitimate interests to be able to undertake direct marketing then the right to object is absolute, and you must stop using the personal information you hold for direct marketing purposes when someone objects.

Undertaking a Legitimate Interest Assessment

You should undertake an assessment of the legitimate interest process so that, if required, you could demonstrate compliance and justification for the use of the personal information. It should address the following as a minimum:

  • Would the individual expect their information to be used for the purpose for which you wish to use it (or are using it)?
  • Does processing the data enable you to meet the lawful objectives of your organisation?
  • Is the processing in the interest of the person whose data it relates to?
  • Would the processing violate or in any way undermine the individual’s ability to exercise their rights?
  • How would your organisation suffer harm if the processing does not happen?
  • What is the nature of the relationship between the individual and the organisation?
  • What kind of data is to be processed? In particular, consider whether such data enjoys special protection under the GDPR?
  • Is the processing intrusive or inappropriate or could it be construed as such by the individual?
  • Did the individual get a collection notice? If so, how was the notice provided?
  • How much control does the individual have over the data being processed? Can they object?
  • What risk reduction or mitigation measures can your organisation put in place to avoid harm to an individual’s privacy?

Maintain a record of your Legitimate Interest Assessments and the outcomes so you can justify your thinking and decision-making processes. You should also regularly review your Legitimate Interest Assessments.

If you have concerns regarding re-consent read: GDPR: mailing lists – the myths for what you need to do.

Ian Cooley GDPR, Data Protection and Privacy Specialist at GDPR Advisors UK.

Related articles