Key References:

Legitimate Interests

  • Legitimate interest is one of the six lawful bases of processing under Art. 6(1)(f).
  • WP29 Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC states, in part, that: the controller’s legitimate interests must be balanced against the interests or fundamental rights and freedoms of the data subject.

Art. 6: Lawfulness of processing

1. Processing shall be lawful only if and to the extent that at least one of the following applies:
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child;

Three-part balancing test

The UK ICO provides the following three-part balancing test to determine whether legitimate interest is an appropriate and lawful basis for processing.

  1. Purpose test: controller must identify a legitimate interest;
    • these can include commercial interests, individual interests or broader societal benefits.
  2. Necessity test: controller should show that the processing is necessary to achieve it;
    • if results to be gained from the processing can be reasonably achieved by another less intrusive way, then processing won’t be necessary and legitimate interests will not apply
  3. Balancing test: controller must balance it against the data subject’s interests, rights and freedoms
    • if the data subject would not reasonably expect the processing, or if processing would cause unjustified harm, then data subject’s interests are likely to override the controller’s legitimate interests.

As part of GDPR Art. 5(2) Accountability, controllers must be able to demonstrate compliance with data processing principles. The UK ICO recommends that controllers conduct the above three-part legitimate interests assessment (LIA) and record the analysis as part of their Art. 5(2) and also Art. 24 obligations.

Examples of Legitimate Processing

  • Recital 47.7 states that direct marketing purposes may be regarded as carried out for legitimate interests.
  • Recital 47.6 regards processing that is strictly necessary for the purposes of preventing fraud for legitimate interests.
  • Recital 47.2 envisages that legitimate interests could arise in situations where the data subject is a client or in the service of the controller.
  • Recital 48 states that transmitting personal data within a group of undertakings for internal administrative purposes, including the processing of clients’ or employees’ personal data can be a legitimate interest.
  • Recital 49 states that processing data which is strictly necessary and proportionate to ensure network and information security constitutes legitimate interest by the controller.
  • Finally, GDPR Art. 49 on derogations for transfer of personal data to third countries permits data transfer internationally where transfer: is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data.

Note: Pursuant to Art. 21, data subjects have the right to object to processing. This requires controller to stop processing “unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject“.