There are situations when it may be appropriate to use legitimate interest as the legal basis for personal data processing. A company may want to send marketing emails to its former customers. This is an example of when it would be appropriate to use legitimate interest as the legal basis. In this marketing activity, the company may process the customer’s name and e-mail address based on legitimate interest.
Legitimate interest is one of six legal bases that companies can use for personal data processing. You can find the legal beses in Article 6 of the General Data Protection Regulation (EU) 2016/679 (GDPR). In addition, this is a common legal basis for companies to use. Two other examples of legal bases are contracts with data subjects and consent. However, there are different situations when a company should not use consent as a legal basis.
In this article, you can read about more examples of when it may be appropriate for a company to use legitimate interest as the legal basis. But first, we will provide information about what legitimate interest means.
What does legitimate interest mean?
An interest to process personal data, that is considered lawful and reasonable, is a legitimate interest. In other words, a legitimate interest is a lawful reason that a company can use to conduct personal data processing. However, the interests of the company must outweigh the interests or fundamental rights and freedoms of the data subject.
There are specific requirements that a company must fulfill, to use legitimate interest as the legal basis for processing personal data. Also, the company must meet specific requirements in order for the use of this legal basis to be appropriate.
To summarize, a company may use this legal basis only if it has a legitimate interest in the processing. Furthermore, the identified legitimate interests must outweigh the interests or fundamental rights and freedoms of the data subject. Therefore, it is important to carry out a Legitimate Interest Assessment (LIA) in order to analyze this.
How to conduct a Legitimate Interest Assessment (LIA) pursuant to the GDPR
In a legitimate interest assessment, it is important to take into account the reasonable expectations of data subjects. It is also important to take info consideration the relationship between the data subject and the controller. In addition, the company shall analyze whether the data subject could reasonably have expected, at the time of collection of their personal data, that the processing for the stated legitimate interest and purpose would occur.
There are several key elements to implement in the legitimate interest assessment. Including six phases that companies should go through to find out if a legitimate interest exists.
Please note that a company may not automatically process personal data just because it carries out a legitimate interest assessment. The processing in question may only take place if the result of the assessment shows that the data subject’s interest in the protection of his or her personal data and freedoms and rights do not outweigh the legitimate interest in the processing. Not the other way around. A good starting point: the more sensitive personal data, the more important are the interests of the data subject.
Legitimate interest of third parties
Something that is good to know is that the legitimate interest may be the company’s own or a third party’s. In some cases a company may disclose personal data to a third party who has a legitimate interest in processing it. However, before the company discloses personal data to a third party, the company must be able to demonstrate that the disclosure is justified. Including finding out the following:
- Why: Why the third party wants the personal data.
- What: What the third party wants to do with the personal data.
- Necessity: Whether it is really necessary for the third party to process the personal data.
Examples of when this legal basis is appropriate to use
Below are some examples of when it may be appropriate to use legitimate interest as a legal basis
- Direct marketing (Recital 47 GDPR). Many companies use direct marketing and, for example, send emails to their existing or former customers. It is permissible to use legitimate interest as the legal basis for the processing of personal data in such cases. However, it is important to keep in mind that the individuals who receive these emails have an absolute right to require the company to stop sending them. In such cases, the company shall immediately cease processing the personal data for the purpose of direct marketing.
- Transfer personal data between companies within a group of companies (Recital 48 GDPR). Another example of when it is common to use legitimate interest as a legal basis for processing personal data is when companies within a group transfer personal data between themselves for internal administrative purposes. For example, this may be done to internally process the personal data of the employees or customers.
- Fraud prevention (Recital 47 GDPR). A company may also process personal data on the basis of legitimate interest in the prevention of fraud or for other security reasons.
- Ensuring information security in IT systems (Recital 49 GDPR). A company may use legitimate interest as a legal basis may to carry out proportionate and strictly necessary processing of personal data to ensure network and information security. For example, processing necessary to minimize risks and prevent incorrect code distribution. Or to prevent unauthorized access to electronic communications networks. Also for stopping damage to computer systems and ongoing attacks that overload the electronic communications system.
Examples of when companies should not use legitimate interest as the legal basis
- If the personal data belongs to children. There may be a legitimate interest in processing personal data belonging to children. However, the rules are stricter than because children are an extra protective group. Therefore, companies should consider whether any other legal basis is more appropriate to use for the processing of children’s personal data. Companies must, among other things, take security measures to protect the rights and freedoms that children have under the GDPR and other laws.
- If the controller carrying out the processing is an authority. An authoritiy can not process personal data as part of its official work on the basis of legitimate interest. It is not allowed under the GDPR. This applies regardless of whether the authority carry out a legitimate interest assessment in advance or not. This is because it is up to the legislator to determine by law the legal basis for the processing of personal data to be carried out by public authorities. The processing of personal data by public authorities should therefore only take place on the basis of law.