For the processing of personal data, you need at least one legal basis. The most common ones are contract, consent, and legitimate interest. But the legitimate interest is not a “soft option”. In this article, we give you all you need to consider when assessing if you have a legitimate interest. Reading time: 4 min
What is Legitimate Interest?
Legitimate interests are one of six lawful basis in the GDPR that organisations can base their use of personal data on. Legitimate interest is the most flexible lawful basis, but include an extra responsibility to protect individuals’ rights and interests in a legitimate interest assessment. The legitimate interest can be an interest in your organisation (operating an effective business) or one of your partners (serving efficient support services). As the example gives such interests can include commercial interests, individual interest or broader societal interests.
When Can You Use Legitimate Interest?
Typically, legitimate interest may be the most appropriate when personal data are used in ways that individuals would reasonably expect and with limited privacy impact.
There are three conditions that all must be met for the processing of personal data to be based on the legal basis of legitimate interest. The ECJ mentions these three criteria for the first time in the so-called Rigas-case (Case C-13/16) that introduced the Legitimate Interest Assessment (LIA).
In the judgment, on the 4 May 2017, the ECJ ruled that the legitimate interest could be used for processing of personal data to bring an action in a civil case. In this case, a person caused an injury to the property of a company, and the injured company wanted to claim damages. The three conditions were, without any doubt, met.
Looking for a practical guide to the DPO role?
The book Data Protection Officer provides a practical guide to the DPO role, encompassing the key activities you’ll need to manage to succeed in the role. Coverage includes data protection fundamentals and processes, understanding risk and relevant standards, frameworks and tools, with DPO tips also embedded throughout the book and case studies included to support practice-based learning.
Available as an e-book and paperback. Get a preview or free sample: Data Protection Officer (BCS Guides to It Roles)
- Firstly, the controller must have a legitimate interest to process the data. In this case, the injured company needed access to the personal data of the person who had caused the damage to bring an action for compensation.
- Secondly, the processing must be necessary to accomplish the legitimate interest. In this case, the data was (Id-number and address) vital to initiate the damage proceedings.
- Thirdly, the fundamental rights and freedoms of the person concerned do not take precedence. The ECJ did not make a ruling on this in this particular case. Instead, the ECJ stated that you have to assess the third criterion on a case-by-case basis.
Nowadays there is a methodology for determining if there is a legitimate interest at hand. In that case, you do not have to rely on e.g. consent or contract as your legal basis. But, always remember that legitimate interest is by no means a “soft” option for when you cannot use contract, consent or the other alternatives.
The Correct Order to Perform the LIA
A Legitimate Interest Assessment (LIA) is a light touch risk assessment in three-parts. You weigh the legitimate interest, the benefits, the privacy harms.
Step 1: Identify the Legitimate Interest
To use legitimate interest as a legal basis, there are initially two requirements. First, you must identify an interest. Second, that interest must be legitimate.
There is a connection between the interest and the purpose. Yet, they are still different. This, since the purpose relates to the processing activity and the aim of the interest is bigger. The interest can e.g. be societal, cultural, or economic.
You can identify an interest as legitimate in the recitals to GDPR or another legislative act. E.g. recital 49 mentions IT-security as an example of a legitimate interest. If no regulation identifies your interest as legitimate you can assess the interest yourself. A wide range of interests may be seen as legitimate including the legitimate interests of any third party. The most important part is that you as a controller can motivate why the interest is legitimate.
Example: ask yourself, what does our organization aim to get from the processing? Is the aim identified in the GDPR as a legitimate interest? Are we sharing data with any third party?
Step 2: The Necessity Test
Necessity is fundamental to data protection and works as a proportionality test.
In your assessment of legitimate interest, you must research alternative methods. If so, you must assess the potential impact of the method on the data subject.
The necessity test is something that a controller might forget. If the controller has not researched alternatives the chosen method cannot be proportionate. As a result, you cannot do the balancing exercise.
Example: Why is the processing crucial to us? Are there alternative ways to reach the aim?
Step 3: The Balancing Test
The next step in the assessment of the legitimate interest, after researching alternatives, is to do a balancing exercise. This test attempts to weigh two weightless entities: the interest of the data subject and the interest of the controller. The ambition is to give substance to an abstract thought of proportionality. Of course, the test is hypothetical. Since no one knows the exact interest of each data subject, the assessment includes what a data subject normally wants. In this case, privacy and respect for its fundamental human rights.
The balancing exercise is both complex and abstract. Below we introduce two aspects to consider when performing the test. However, remember that there are more aspects.
Example: is the processing in the interest of the data subject? Does the data subject get anything out from the processing? Is data collected from the data subject or elsewhere?
The Data Subject’s Reasonable Expectation
For unexpected processing, the interest of the individual overrides the interest of a controller. This, since the unexpected processing, takes away the control from the data subject. Therefore, you should perform the assessment against all available information about the processing. E.g. the information includes privacy policies and notices.
The Impact on the Data Subject
This is probably the most obvious aspect to consider in your legitimate interest assessment. If you carry out the processing partly in the interest of the data subject that speaks for one outcome. If the processing could likely result in harm to the data subject that speaks for the opposite.
Legitimate Interest for Direct Marketing
The most common legitimate interest assessment is to use it as a legal basis for direct marketing. In contrast to traditional marketing, i.e. ads, direct marketing aims to make relevant ads for each customer-type. Direct marketing is identified as a legitimate interest in recital 47 of GDPR. But you have to assess every case on the merits and balance against the ePrivacy Directive – through the necessity test and the balancing exercise.
The necessity test would probably fall in the favour of the controller provided that the use of data is not excessive. Here you have to consider what data the controller uses. If the controller uses unnecessary data or advanced profiling the processing would fail the necessity test. The same if the marketing is more aggressive than needed. Is there a less invasive alternative that still achieves the underlying interest of personalised ads? If so, and you still stick with your original plan you have to motivate it thoroughly.
The balancing exercise would have to consider various aspects. The assessment should include the relationship between the controller and the data subject. If the relationship is relevant and appropriate that speaks for the existence of a legitimate interest. Relevance supports the fact that the direct marketing purpose was reasonable for the data subject to expect. Yet, there are more aspects to consider. For example, what type of personal data you process, how often you perform the marketing performed, and for what type of product.
How to Implement the Legitimate Interest Assessment in Your Organization
Your organization must create a process for assessing the legitimate interests. The process must include at least the above-mentioned steps. If your organization uses legitimate interest as a legal basis, make sure that you do the assessment. Also, make sure that you have the outcome of the balancing test well-documented.
The most detailed and helpful guidance on the concept of legitimate interest you get in the expert guidance of WP29 Opinion 06/2014 (9 April 2014). Even since it is nowadays archived, it is still the best there is. This, at least until the EDPB releases its own guideline to update it.