GDPR Legitimate Interests: An Overview
Article 6 of the EU General Data Protection Regulation (GDPR) provides for a lawful basis of processing based on the legitimate interests of the controller or third-party. Therefore, it is a strong candidate to be an alternative to comply with the GDPR requirements for obtaining consent. However, the GDPR legimate interest basis doesn’t receive the same coverage in the text as informed consent or transparent processing. Organizations that wish to rely on this lawful basis are left to consider the interplay of Article 6, Recitals 47-50 and the guidance of the data supervisory authorities in order to figure out whether they will qualify for this basis for processing.
Legitimate interests have been called the “most flexible lawful basis,” but it is not always appropriate and requires extra responsibility to ensure the protection of the data subject rights. The UK ICO has said that this basis for lawful processing is most appropriate where the usage of data would be reasonably expected by the data subject and the processing has a minimal privacy impact. As a result of this analysis, the decision to rely on the legimate interest exception needs to be carefully documented pursuant Article 30 of the GDPR. The ICO has said that the “biggest change” in this basis, which is not new in data privacy law, is the need to document the analysis.
Two of the most important aspects of determining that there is a legitimate interest is noting that the individual’s interests do not override the organization/third-party interest and that there is no less intrusive way to achieve the same result. If either situation is present, then it is unlikely that the legitimate interest is appropriate to rely upon and another lawful basis should be sought.
How Did GDPR Change Legitimate Interests?
– The justification for a legitimate interest has been widened to include any third party including wider public benefits for society.
– The previous limitation to cases of unwarranted prejudice to the individual’s rights and freedoms has been lifted and it now applies generally to times where the legitimate interests are overriden by the interests of the data subject.
– Special consideration for the rights of children has been explicitly included in the text.
– Documentation of legitimate interests decisions must be kept under the GDPR accountability principle.
Legitimate Interest Examples
– Recital 47: direct marketing
– Recital 47: fraud prevention
– Recital 48: intra-group data transfers
– Recital 49: network and information security
– Recital 50: reporting possible criminal acts or public security threats
GDPR Legitimate Interests Assessments
The UK ICO has said that the analysis of legitimate interests can be broken down into a three part test:
1. Purpose – Is the organization pursuing a legitimate interest?
2. Necessity – Is the processing necessary for that purpose?
3. Balancing – Does the individual’s interests outweigh the organization’s interest?
Each component of the LIA should be documented pursuant to the Article 30 recordkeeping requirement.
The ICO has proposed a few different questions that should be asked as part of a Legitimate Interests Assessment with regard to the purpose and benefits of processing:
– Why do you want to process the data – what are you trying to achieve?
– Who benefits from the processing and how?
– Are there any broad public benefits?
– How important are those benefits?
– What is the impact be if you couldn’t go ahead?
– Is the proposed conduct unethical or unlawful in any way?
To establish lawful processing under this basis, the processing must be targeted and proportionate to the aim sought. In order to establish that it is necessary, the UK ICO suggests asking:
– Does this processing actually further the identified interests?
– Is it a reasonable way to proceed?
– Is there another less intrusive alernative to reach the same result?
There is no formula for pursing the balancing test as part of a legimate interests assessment. Some of the questions that should be asked as part of this inquiry pursuant to the ICO include:
– What is the nature of your relationship with the data subject?
– Is it particularly sensitive or private data?
– Would this data processing be reasonably expected?
– Are some people likely to object or find?
– What is the possible impact on the data subject?
– Are you processing children’s data?
– Can you adopt any safeguards to minimise the impact?
– Can you offer an opt-out?
When Should Legitimate Interest Not be Used?
The UK ICO has provided a few examples of when the legitimate interest basis should not be relied upon:
– if personal data is used in a manner that people do not understand or would not reasonably expect.
– if some people would object if the manner was explained to them
– if it could cause harm, unless there is nevertheless a compelling reason
– if another law requires consent, such as the UK Privacy and Electronic Communications Regulations
– if the outcome of the balancing test is unclear
Because the GDPR requires transparency, the ICO has said that your privacy disclosures must identify if you are relying on legitimate interests and explain the interests in plain English.
Objecting to Legitimate Interest in Direct Marketing
The ICO has said that individuals have an absolute right to object to override use of the legitimate interest for direct marketing. If a data subject objects to the processing of their data for direct marketing, the controller must stop process the direct marketing.
Contact Clarip for CCPA and GDPR Software
The Clarip privacy management software is ready to help improve your organization’s privacy practices. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo with a member of the Clarip team.
If your immediate need is California Consumer Privacy Act compliance, take a look at our CCPA software. From consent management to powerful DSAR Software, Clarip offers enterprise privacy management at an affordable price.
Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.