legitimate interest under the GDPR

Legitimate Interest Guide Under the GDPR

GDPR lists six lawful bases for processing of personal data, and legitimate interest is one of them.

  • There is no particular purpose defined, therefore, it is the most flexible from all the other legal bases;
  • Does not require specifically agreed consent from the data subject;
  • The processing is in the interest of the company → benefits the company or others;
  • Overridden in the case of fundamental rights → when the rights and interests of the data subjects need protection over the company’s own interests. For example, the protection of data from a child, criminal offences.

But how to know, what is considered a legitimate interest? The GDPR does not define what factors to take into account when deciding if your purpose is a legitimate interest. Legitimate interests can be applied in a wide range of circumstances. Therefore, it’s left for the company to balance their interests against the interests of an individual and their personal data.

The Three-Part Test

The key elements of the legitimate interests provision can be broken down into a three-part test.

  • Purpose test – is there a legitimate interest behind the processing?
  • Necessity test – is the processing necessary for that purpose?
  • Balancing test – is the legitimate interest overridden by the individual’s interests, rights or freedoms? (social and economic disadvantage, loss of control of the data, inability to exercise rights)

It’s not sufficient for a company to simply decide that it’s in your legitimate interests and start processing the data. You must be able to satisfy all three parts of the test prior to commencing your processing.

Legitimate Interest Under the GDPR

Legitimate interest is the most flexible lawful basis, but you cannot assume it will always be appropriate for all of your processing. If you choose to rely on legitimate interests, companies take on extra responsibility for ensuring people’s rights and interests are fully considered and protected. Therefore, before base data processing on a legitimate interest, a company must be sure about:

  • The minimal privacy impact
  • The proportionate use of data
  • Customers can reasonably expect such usage (would they object?)

As mentioned, a wide range of interests may be legitimate interests. They can be companies interests or the interests of third parties, and commercial interests as well as wider societal benefits. They may be compelling or trivial, but trivial interests may be more easily overridden in the balancing test. To understand, what constitutes as a legitimate interest, see the table below.

CONSTITUTESMAYBE (if precise purpose)
  • Fraud prevention
  • Ensuring network and information security
  • Public Security and criminal acts’ indication
  • The process of employee’s and client’s data
  • Direct Marketing (compliance with e-privacy rules)
  • Administrative transfers within a group of companies

Legal Interest Application Examples

Example NR. 1

An individual uploads it’s CV to a jobs board website. A recruitment agency accesses the CV and thinks that the individual may have the skills that two of its clients are looking for and wants to pass the CV to those companies.

It is likely in this situation that the lawful basis for processing for the recruitment agency and their clients is legitimate interests.

The individual has made their CV available on a job board website for the express reason of employers being able to access this data. They have not given specific consent for identified data controllers, but they would clearly expect that recruitment agencies would access the CV and share with it their clients; indeed, this is likely to be the individual’s intention. As such, the legitimate interest of the recruitment agencies and their clients to fill vacancies would not be overridden by any interests or rights of the individual. In fact, those legitimate interests are likely to align with the interests of the individual in circulating their CV in order to find a job.

Example NR. 2

An insurance company wants to process personal data to spot fraudulent claims on the basis of legitimate interests.

Firstly, it considers the purpose test. It is in the company’s legitimate business interests to ensure that its customers do not defraud it out of money. However, at the same time, the company’s other customers and the public in general also have a legitimate interest in ensuring that fraud is prevented and detected.

As it has met the purpose test the insurance company can then go onto consider the necessity test and then the balancing test.

Example NR. 3

A finance company is unable to locate a customer who has stopped making payments under a hire purchase agreement. The customer has moved to a new house without notifying the finance company of their new address. The finance company wants to engage a debt collection agency to find the customer and seek repayment of the debt. It wants to disclose the customer’s personal data to the agency for this purpose.

The finance company has a legitimate interest in recovering the debt it is owed and to achieve this purpose it is necessary for them to use a debt collection agency to track down the customer for payment owed.

The finance company considers the balancing test and concludes that it is reasonable for its customers to expect that they will take steps to seek payment of outstanding debts. The interests of the customer are likely to differ from those of the finance company in this situation, as it may suit the customer to evade paying their outstanding debt.

However, the legitimate interest in passing the personal data to a debt collection agency in these circumstances would not be overridden by the interests of the customer. The balance would be in favour of the finance company.

Read more about Legitimate interests under the GDPR.

Share on facebook
Share on linkedin
Share on twitter
Share on pinterest
Share on email

Get your compliance organized with proper GDPR tools.
Contact us for a demo and get access to 14-day trial.

Save time and be confident

Latest Posts
The EU-U.S. Data Privacy Framework: A Transatlantic honeymoon for data flows, but for how long?

The EU-U.S. Data Privacy Framework: A Transatlantic honeymoon for data flows, but for how long?

The European Commission concluded that the United States ensures adequate protection for personal data transferred from the EU to U.S....
A Comprehensive Guide to Personal Data Mapping

A Comprehensive Guide to Personal Data Mapping

Introduction Data privacy and security are of utmost concern in the digital era of today, especially when it comes to...
Data Processing Agreement (DPA)

Data Processing Agreement (DPA)

What is a Data Processing Agreement (DPA)? A Data Processing Agreement (DPA) is a legally binding document to be entered...
Direct marketing rules and exceptions under the GDPR

Direct marketing rules and exceptions under the GDPR

Direct marketing includes text messages (SMS) and emails that a customer receives from a product or service provider. But activities...
Transmitting personal data to third countries

Transmitting personal data to third countries

The GDPR has put strict rules in place, when it comes to data transfer to third countries or international organizations. Which...
Records of processing activities in GDPR Article 30

Records of processing activities in GDPR Article 30

What are the records of processing activities (ROPA)? Article 30 of the EU General Data Protection Regulation (GDPR) requires organisations...
10 Great GDPR Software Tools for Compliance in 2023 (Review + Pricing)

10 Great GDPR Software Tools for Compliance in 2023 (Review + Pricing)

In this article, we will introduce you to some useful GDPR software tools which may help you reach GDPR compliance...
Personal Data Breach Reporting Requirements Under the GDPR

Personal Data Breach Reporting Requirements Under the GDPR

What is Data Breach? According to General Data Protection Regulation (GDPR), a personal data breach is a security incident that...
Data Protection Authorities (DPA)

Data Protection Authorities (DPA)

Data Protection Authorities (DPA) Data Protection Authorities (DPA) are independent public authorities that supervise, through investigative and corrective powers, the...
GDPR compliance checklist for controllers

GDPR compliance checklist for controllers

This is a simple GDPR compliance checklist for data controllers that you can use to ensure you have considered most important...