How to use legitimate interest under the GDPR?

Friday January 29th, 2021 by Esthefania Vargas

How does the GDPR define legitimate interest? Does the legitimate interest legal base cover company interests only or can it also include third parties interests?

There is no precise definition under the GDPR of what constitutes a legitimate interest and this precisely opens the room for a controller to argue that certain business activities, for instance, sending direct marketing messages to a group of people are based on controller’s legitimate interest. 

Ultimately, all companies have different interests in processing personal data for different purposes. But are all these interests legitimate

The GDPR offers a few sections where certain characteristics can be extracted, reducing its scope and outlining this lawful basis. 

On one hand, the GDPR explicitly says that personal data can be processed for the controller’s legitimate purposes or third party purposes (Article 6.1.f). In other words, a company can have the intention of processing personal data for their own interest but if third parties need to receive personal data, this also constitutes a legitimate interest. 

Additionally, commercial interests are also part of the list. For example, if a company has a commercial interest to store the personal data of website visitors, this is possible in principle. 

Nevertheless, the processing of such personal data must be necessary. The latter means that it can’t be up to the controller’s discretion to process this data and it must be the only way to achieve those purposes. Thus, if it’s possible to do it in another way, then it’s not recommendable to rely on this legal basis. 

Taking the previous example, the company should determine that they do need to store website visitor data in order to better understand the customers and/or to know what is the customer’s interest using the company’s services so that it will be possible to improve the services and search external adequate suppliers if needed. 

But not everything ends here.

If such interest affects individuals’ fundamental rights and freedoms, it won’t be possible to carry out the processing, even if it is necessary. 

Hence, if a company informs on the privacy policy that they will collect website visitor’s data for improving the service but then those individuals start receiving weekly newsletters with products they are not interested in, it is not possible to do it under the GDPR. 

Purpose, Necessity and the Balancing Test: relying on legitimate interests as a lawful basis. 

As previously shown, three elements need to be considered whenever a company selects legitimate interest as their legal basis.

First, consider whether the activity at hand pursues a legitimate interest and none other. For instance, if a company stores employee bank account data for payment purposes, this is inextricably linked to the employment contract, therefore the legal basis of this processing activity is to allow the company to perform a contract, which means no legitimate interest is involved here. 

Secondly, the processing of the activity has to be necessary to achieve this legitimate interest. 

Finally, such interest must be balanced with individuals interest, rights, and freedoms. Moreover, if individuals are affected – particularly children- by that processing or would not likely expect that processing to happen, companies should avoid processing their personal data or find another lawful basis. An important factor that could trigger this last step is what the privacy notice disclosed to individuals. If companies include clear information about the processing, individuals are more likely to expect that processing.
We encourage companies to keep a record of the legitimate interests assessment (LIA) to demonstrate compliance if required. 

Use-cases: can companies rely on legitimate interest for direct marketing or web analytics?

There is no clear cut yes-or-no answer to these questions. 

Apart from the mandatory 3-step approach, it is important to keep in mind that the relationship with the individuals plays a very important role in determining the possibility to use this legal basis. Should the company have a previous client relationship, the individual could expect the processing of personal data. In other cases, a full Legitimate Interest Assessment (LIA) will lead to the applicability of the legitimate interest will be determined on a case-by-case basis. 

Ultimately, the information companies provide to the individuals is key for preventing possible claims. The privacy notice is the best place to provide as it, at the very least allows individuals to exercise the right for their data to not be subject to further processing.

In short, in this article, we discovered that if an appropriate assessment is implemented before processing any personal data based on legitimate interest, it is in effect broader in scope than other legal grounds. The legitimate-interest legal base can be flexible, but it requires both a documented internal assessment of the three stages within the company and external communication to those individuals involved. 

Esthefania Vargas

Junior Consultant

Esthefania Vargas (CIPP/e) is a Colombian Attorney graduated from Externado de Colombia University with a Master's degree (LLM) in International Dispute Resolution at Humboldt Universität, Berlin. She has worked at private and public companies as well as law firms focusing on contract law, insurances, blockchain, General Data Protection Regulation (GDPR) and legal technology. She joins TechGDPR as a junior consultant.

The impact of the GDPR on Big Data
December 1st, 2020

International Transfers of Personal Data after the Schrems II ruling
August 6th, 2020

A Comparison of POPIA and GDPR in Key Areas
July 28th, 2020

HIPAA, the GDPR and MedTech
July 23rd, 2020

Small meetings under the COVID-19 ordinance in Berlin
March 18th, 2020

Response to the GDPR-relevant points in the German Blockchain Strategy of September 2019
September 29th, 2019

GDPR compliant products debunked: it’s all about HOW you use it
September 26th, 2019

GDPR’s Right to be Forgotten in Blockchain: it's not black and white.
August 13th, 2019

What is the difference between personally identifiable information (PII) and personal data?
June 27th, 2019

Personal data and cold calling under the GDPR
June 25th, 2019

Artificial Intelligence (3)
Berlin (1)
Beyond EU (6)
Big Data (2)
Blockchain (10)
Comparison (1)
Court Cases (1)
Data Subjects (6)
DLT (1)
DPO (2)
European Commission (2)
GDPR Canvas (1)
GDPR Status (2)
Germany (2)
International Transfers (1)
IoT (4)
Privacy by Design (7)
Regulation (3)
Speaking (1)
Startups (1)
Strategy (2)
Terminology (2)
Uncategorized (2)
WiFi (1)
Workshop (2)
Article 17
Artificial Intelligence
Big Data
call center
CJEU ruling
Cold calling
Data transfers
European Commission
GDPR Analysis
GDPR Compliance
GDPR so far
gdpr workshop
gdpr year one
German Blockchain Strategy
International transfers
medical data
one year gdpr
open workshop
personal data
personally identifiable information
Privacy by Design
privacy policy
Retail Analytics
right to be forgotten
right to erasure
Schrems II
south africa
January 2021 (1)
December 2020 (1)
August 2020 (1)
July 2020 (2)
March 2020 (1)
September 2019 (2)
August 2019 (1)
June 2019 (3)
May 2019 (2)
April 2019 (1)
February 2019 (2)
January 2019 (1)
December 2018 (2)
October 2018 (1)
September 2018 (1)
August 2018 (3)
July 2018 (4)
June 2018 (1)
March 2018 (1)

Contact us to find out how we can help you with your GDPR compliance.