Legitimate interests are considered the most flexible lawful basis for processing, but that doesn’t mean data controllers can invoke it at will.
In this article, we’ll discuss what the GDPR has to say about legitimate interests when interest can be deemed “legitimate,” and finally, what a data controller should consider before relying on this ground for processing personal data.
What does the GDPR say about Legitimate Interests?
According to Article 6(1)(f) of the GDPR, the processing of non-sensitive personal data should be considered legitimate when it is
«necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.»
If it sounds complicated, don’t worry. We’ll break it down.
But before we get there, let’s focus on a critical distinction Article 6 makes. According to its last paragraph, «Point (f) of the first subparagraph [the one we’ve just read, referring to legitimate interest] shall not apply to processing carried out by public authorities in the performance of their tasks.»
As a result, public authorities cannot invoke their legitimate interests when they want to process personal data related to the tasks they’re performing. Instead, they must rely on another legal basis, such as consent or public interest.
Data controllers other than public authorities don’t face similar limitations. Yet, they should not assume that your legitimate interest will always be the appropriate ground for processing personal data.
Let’s see why.
GDPR & Legitimate Interests: a 3-step test
In the 2017 “Valsts” case, the Court of Justice of the European Union (CJEU for short) clarified that data processing based on the “legitimate interests” ground is lawful only when three cumulative conditions are met:
- The interest pursued by the controller must, indeed, be “legitimate” (purpose test)
- The data processed must be necessary for satisfying that legitimate interest (necessity test), and
The fundamental rights and freedoms of the data subject must not take precedence over the controller’s legitimate interests (balancing test).
GDPR & Legitimate Interests: the Purpose Test
In theory, any interest can be considered legitimate (unless it’s blatantly unlawful).
The GDPR provides examples of what might constitute ‘legitimate interest’ in Recital 47.
«Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. […] The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.»
GDPR & Legitimate Interests: the Necessity Test
As Article 6(1)(f) states, the processing is only lawful when it’s «necessary for the purposes of the legitimate interests pursued by the controller.»
This means that even if you have a legitimate interest, you cannot rely on it for processing personal data that’s not necessary for this purpose.
Do you want to launch civil proceedings against someone (we hope you don’t, but that’s an example of legitimate interest)? Then you can process that person’s name, address, and birth date, but probably not their mobile phone, email, picture, or location data.
GDPR & Legitimate Interests: the Balancing Test
Last but not least, to lawfully invoke the legitimate interests ground, you have to ensure that the data subject’s fundamental rights and freedoms (such as privacy, security, the right to be forgotten, the secrecy of correspondence, etc.) are not unduly sacrificed by the processing activity.
Again, there’s no one-size-fits-all solution to determine when your legitimate interests prevail and when, on the contrary, they should give way to the data subject’s rights.
As the CJEU explained in the “Valsts” case, the balancing of interests must be done on a case-by-case basis. If you are in doubt, the best course of action is to seek professional legal advice.
Having said that, as a rule of thumb, there are two elements you can take into consideration:
- The reasonable expectations of the data subjects (would they expect you to use their data in this way?), and
- The potential harm you could cause them (how would the processing activities impact them?)
If data subjects could reasonably expect you to use their data in the way you’re using it, and if the harm caused by the processing activity is low or non-existent (for example, because you’ve taken steps to pseudo-anonymize the data), chances are your legitimate interests can override the rights and freedoms of the data subject.
GDPR & Legitimate Interests: the Right to Object
According to Article 21(1) of the GDPR, when personal data is processed under the “legitimate interests” ground, the data subject has the right to object to the processing.
Example of privacy settings. Users can object to the company’s usage of legitimate interest as a ground for processing their data.
GDPR & Legitimate Interests: The Takeaway
If you are a data controller, invoking your legitimate interests as a legal basis for processing personal data might be tempting. Yet, there are a few things to consider before doing so.
First, you have to ensure the interest you’re pursuing is legitimate. That’s relatively easy, as, in principle, most interests are. (You can check out the examples enumerated in Recital 47 of the GDPR).
Then you must consider whether the data you intend to process is necessary to pursue your legitimate interest. If there’s another, less intrusive way to achieve the same result, you should opt for it.
And finally, even if you’ve answered the previous questions in the affirmative, you have to ensure that your legitimate interest is not overrun by the data subject’s fundamental rights and freedoms. If your benefit comes at the expense of the data subjects, you need to find another ground for processing their data.
Last but not least, remember that data subjects can always object to your using legitimate interests as a ground for the processing. Inform them of this possibility, and make it easy for them to express their preferences.