GDPR lists six lawful bases for processing of personal data, and legitimate interest is one of them.
- There is no particular purpose defined, therefore, it is the most flexible from all the other legal bases;
- Does not require specifically agreed consent from the data subject;
- The processing is in the interest of the company → benefits the company or others;
- Overridden in the case of fundamental rights → when the rights and interests of the data subjects need protection over the company’s own interests. For example, the protection of data from a child, criminal offences.
But how to know, what is considered a legitimate interest? The GDPR does not define what factors to take into account when deciding if your purpose is a legitimate interest. Legitimate interests can be applied in a wide range of circumstances. Therefore, it’s left for the company to balance their interests against the interests of an individual and their personal data.
The Three-Part Test
The key elements of the legitimate interests provision can be broken down into a three-part test.
- Purpose test – is there a legitimate interest behind the processing?
- Necessity test – is the processing necessary for that purpose?
- Balancing test – is the legitimate interest overridden by the individual’s interests, rights or freedoms? (social and economic disadvantage, loss of control of the data, inability to exercise rights)
It’s not sufficient for a company to simply decide that it’s in your legitimate interests and start processing the data. You must be able to satisfy all three parts of the test prior to commencing your processing.
Legitimate Interest Under the GDPR
Legitimate interest is the most flexible lawful basis, but you cannot assume it will always be appropriate for all of your processing. If you choose to rely on legitimate interests, companies take on extra responsibility for ensuring people’s rights and interests are fully considered and protected. Therefore, before base data processing on a legitimate interest, a company must be sure about:
- The minimal privacy impact
- The proportionate use of data
- Customers can reasonably expect such usage (would they object?)
As mentioned, a wide range of interests may be legitimate interests. They can be companies interests or the interests of third parties, and commercial interests as well as wider societal benefits. They may be compelling or trivial, but trivial interests may be more easily overridden in the balancing test. To understand, what constitutes as a legitimate interest, see the table below.
|MAYBE (if precise purpose)
Legal Interest Application Examples
Example NR. 1
An individual uploads it’s CV to a jobs board website. A recruitment agency accesses the CV and thinks that the individual may have the skills that two of its clients are looking for and wants to pass the CV to those companies.
It is likely in this situation that the lawful basis for processing for the recruitment agency and their clients is legitimate interests.
The individual has made their CV available on a job board website for the express reason of employers being able to access this data. They have not given specific consent for identified data controllers, but they would clearly expect that recruitment agencies would access the CV and share with it their clients; indeed, this is likely to be the individual’s intention. As such, the legitimate interest of the recruitment agencies and their clients to fill vacancies would not be overridden by any interests or rights of the individual. In fact, those legitimate interests are likely to align with the interests of the individual in circulating their CV in order to find a job.
Example NR. 2
An insurance company wants to process personal data to spot fraudulent claims on the basis of legitimate interests.
Firstly, it considers the purpose test. It is in the company’s legitimate business interests to ensure that its customers do not defraud it out of money. However, at the same time, the company’s other customers and the public in general also have a legitimate interest in ensuring that fraud is prevented and detected.
As it has met the purpose test the insurance company can then go onto consider the necessity test and then the balancing test.
Example NR. 3
A finance company is unable to locate a customer who has stopped making payments under a hire purchase agreement. The customer has moved to a new house without notifying the finance company of their new address. The finance company wants to engage a debt collection agency to find the customer and seek repayment of the debt. It wants to disclose the customer’s personal data to the agency for this purpose.
The finance company has a legitimate interest in recovering the debt it is owed and to achieve this purpose it is necessary for them to use a debt collection agency to track down the customer for payment owed.
The finance company considers the balancing test and concludes that it is reasonable for its customers to expect that they will take steps to seek payment of outstanding debts. The interests of the customer are likely to differ from those of the finance company in this situation, as it may suit the customer to evade paying their outstanding debt.
However, the legitimate interest in passing the personal data to a debt collection agency in these circumstances would not be overridden by the interests of the customer. The balance would be in favour of the finance company.