How does the GDPR define legitimate interest? Does the legitimate interest legal base cover company interests only or can it also include third parties interests?
There is no precise definition under the GDPR of what constitutes a legitimate interest and this precisely opens the room for a controller to argue that certain business activities, for instance, sending direct marketing messages to a group of people are based on controller’s legitimate interest.
Ultimately, all companies have different interests in processing personal data for different purposes. But are all these interests legitimate?
The GDPR offers a few sections where certain characteristics can be extracted, reducing its scope and outlining this lawful basis.
On one hand, the GDPR explicitly says that personal data can be processed for the controller’s legitimate purposes or third party purposes (Article 6.1.f). In other words, a company can have the intention of processing personal data for their own interest but if third parties need to receive personal data, this also constitutes a legitimate interest.
Additionally, commercial interests are also part of the list. For example, if a company has a commercial interest to store the personal data of website visitors, this is possible in principle.
Nevertheless, the processing of such personal data must be necessary. The latter means that it can’t be up to the controller’s discretion to process this data and it must be the only way to achieve those purposes. Thus, if it’s possible to do it in another way, then it’s not recommendable to rely on this legal basis.
Taking the previous example, the company should determine that they do need to store website visitor data in order to better understand the customers and/or to know what is the customer’s interest using the company’s services so that it will be possible to improve the services and search external adequate suppliers if needed.
But not everything ends here.
If such interest affects individuals’ fundamental rights and freedoms, it won’t be possible to carry out the processing, even if it is necessary.
Hence, if a company informs on the privacy policy that they will collect website visitor’s data for improving the service but then those individuals start receiving weekly newsletters with products they are not interested in, it is not possible to do it under the GDPR.
Purpose, Necessity and the Balancing Test: relying on legitimate interests as a lawful basis.
As previously shown, three elements need to be considered whenever a company selects legitimate interest as their legal basis.
First, consider whether the activity at hand pursues a legitimate interest and none other. For instance, if a company stores employee bank account data for payment purposes, this is inextricably linked to the employment contract, therefore the legal basis of this processing activity is to allow the company to perform a contract, which means no legitimate interest is involved here.
Secondly, the processing of the activity has to be necessary to achieve this legitimate interest.
Finally, such interest must be balanced with individuals interest, rights, and freedoms. Moreover, if individuals are affected – particularly children- by that processing or would not likely expect that processing to happen, companies should avoid processing their personal data or find another lawful basis. An important factor that could trigger this last step is what the privacy notice disclosed to individuals. If companies include clear information about the processing, individuals are more likely to expect that processing.
We encourage companies to keep a record of the legitimate interests assessment (LIA) to demonstrate compliance if required.
Use-cases: can companies rely on legitimate interest for direct marketing or web analytics?
There is no clear cut yes-or-no answer to these questions.
Apart from the mandatory 3-step approach, it is important to keep in mind that the relationship with the individuals plays a very important role in determining the possibility to use this legal basis. Should the company have a previous client relationship, the individual could expect the processing of personal data. In other cases, a full Legitimate Interest Assessment (LIA) will lead to the applicability of the legitimate interest will be determined on a case-by-case basis.
Ultimately, the information companies provide to the individuals is key for preventing possible claims. The privacy notice is the best place to provide as it, at the very least allows individuals to exercise the right for their data to not be subject to further processing.
In short, in this article, we discovered that if an appropriate assessment is implemented before processing any personal data based on legitimate interest, it is in effect broader in scope than other legal grounds. The legitimate-interest legal base can be flexible, but it requires both a documented internal assessment of the three stages within the company and external communication to those individuals involved.