The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller (recital 47 of the GDPR).
Legitimate interests is the most flexible lawful basis for processing, but you cannot assume it will always be the most appropriate. It is likely to be most appropriate where a data controller uses people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing (ICO Guidelines).
- Recitals 47-49 of the GDPR.
- Article 6 § 1 f of the GDPR.
- Art29WP Opinion 06/2014 on the notion of legitimate interest of the data controller under Article 7 of Directive 95/46/EC, adopted by WP29 on 9 April 2014, p. 16-17. (WP 217).
- Art29WP Guidelines on Consent under Regulation 2016/679 (wp259rev.01).
- EDPB Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects.
Processing of personal data shall be lawful only if and to the extent that such processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child (article 6 § 1 f of the GDPR).
The foregoing legal basis does not apply to processing carried out by public authorities in the performance of their tasks (article 6 § 1 f of the GDPR). They may however rely on legitimate interests in cases where they are processing for a legitimate reason other than performing their tasks as a public authority (ICO Guidelines)
The Three-Part Test
There are three elements to the legitimate interest basis as follows (ICO Guidelines):
- First, a legitimate interest is identified;
- Second, the processing is proven to be necessary to achieve it; and
- Third, a balance exercise between the legitimate interest and the individual’s interests, rights and freedoms is conducted.
Legitimacy of Interests
The legitimate interests can be the interests of the controller or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits (ICO Guidelines).
The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest (recital 47 of the GDPR).
Controllers that are part of a group of undertakings or institutions affiliated to a central body may have a legitimate interest in transmitting personal data within the group of undertakings for internal administrative purposes, including the processing of clients’ or employees’ personal data (recital 48 of the GDPR).
The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems (recital 49 of the GDPR).
Necessity of Processing
The purported data processing ought to be necessary. If the controller can reasonably achieve the same result in another less intrusive way, legitimate interests will not be validly evoked as legal basis.
Balancing of Interests and / or Rights
The controller must balance its interests against the rights and / or interests of the data subject.
In the relevant balancing test, the controller ought to assess each part of the three-part test and document the outcome so that it can demonstrate that a legitimate interest applies. This exercise is referred as a “Legitimate Interests Assessment” (“LIA”). A LIA is a type of light-touch risk assessment based on the specific context and circumstances of the processing. Even if there is no specific requirement in the GDPR to execute it, a LIA is strongly recommended as best practice to demonstrate compliance with the GDPR (ICO Guidelines).
The LIA should take into account:
- Status of the Data Controller and Data Subject: The status of the data subject and the data controller is relevant when assessing the impact of the processing. Depending on whether the data controller is an individual or a small organization or a large multi-national company, and on the specific circumstances, its position may be more or less dominant in respect of the data subject. A large multinational company may, for instance, have more resources and negotiating power than the individual data subject, and therefore, may be in a better position to impose on the data subject what it believes is in its ‘legitimate interest’. On the other hand, the status of the data subject is also relevant. While the balancing test should in principle be made against an average individual, specific situations should lead to a more case-by-case approach: for example, it would be relevant to consider whether the data subject is a child or otherwise belongs to a more vulnerable segment of the population (WP Opinion 6/2014, p. 40).
- The Nature and Source of the Legitimate Interests: The LIA should evaluate whether legitimate interests refer to a fundamental right, such as freedom of expression and information, freedom of the arts and sciences, right of access to documents, as well as for instance the right to liberty and security, the freedom of thought, conscience and religion, the freedom to conduct a business, the right to property, the right to an effective remedy and to a fair trial, or the presumption of innocence and right of defence; or public interests / the interests of the wider community, such as combatting financial fraud or other fraudulent use of services (WP Opinion 6/2014, p. 32-35).
- The Nature of the Personal Data: The LIA should evaluate whether personal data refer to special categories of data; criminal offence data; other types of data that people are likely to consider particularly ‘private’, such as financial data; children’s data or data relating to other vulnerable individuals; or data about people in their personal or professional capacity;
- The Reasonable Expectations of the Data Subject: The LIA should evaluate whether personal data are used in ways that data subjects would reasonably expect, unless there is a valid reason to the contrary, In this context, factors, such as the relationship with data subjects and the circumstances of collecting their data, may be of particular relevance. A legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller (recital 47 of the GDPR);
- The Likely Impact of the Processing: The LIA should evaluate whether personal data are used or not in ways that data subjects would find intrusive or which could cause them harm, unless there is a valid reason to the contrary. Such harm may include barriers to data subjects exercising their rights; barriers to data subjects accessing services or opportunities; any loss of control over the further use of personal data; physical harm; financial loss, identity theft or fraud; or any other significant economic or social disadvantage (such as discrimination, loss of confidentiality or reputational damage).
The more sensitive or ‘private’ the data, the more likely the processing is to be considered intrusive or to create significant risks to the data subject’s rights and freedoms. For example, by putting data subjects at risk of unlawful discrimination, the controller will be likely in need of a more compelling reason to use this type of data and take particular care to put adequate safeguards in place (WP Opinion 6/2014, p. 39).
Reasonable expectations of the data subject may be in place in light of the particular circumstances of the processing, such as the nature of the relationship with the data subject; past uses of their data; the direct collection of data from the data subject; the adequacy of the relevant privacy notice; market research showing the existence of such expectations. Reasonable expectations of the data subject should be in place at the time and in the context of the collection of the personal data that processing for that purpose may take place (recital 47 of the GDPR).
The likelihood that the risk materializes on the one hand, and the severity of the consequences on the other hand, jointly contribute to the overall assessment of the potential impact (WP Opinion 6/2014, p. 38). The identification of the potential of a high risk should lead to the execution of a DPIA and will need a much more compelling legitimate interest to satisfy the balancing test. If the potential of a lower risk is identified, the potential benefits of the processing will need to outweigh the harm inflicted by such a risk. In this context, the application of appropriate safeguards to reduce or mitigate this risk will be of importance (e.g. the collection of less data or the provision to data subjects with an opt-out).
Legitimate interests of the controller, when minor and not very compelling may, in general, only override the interests and rights of data subjects in cases where the impact on these rights and interests are even more trivial. On the other hand, important and compelling legitimate interests may in some cases and subject to safeguards and measures justify even significant intrusion into privacy or other significant impact on the interests or rights of the data subjects (WP Opinion 6/2014, p. 30).
In general, the more negative or uncertain the impact of the processing might be, the more unlikely it is that the processing will be considered, on balance, as legitimate (WP Opinion 6/2014, p. 40).
The use of safeguards alone is of course not sufficient to justify any kind of processing in all contexts. Further, the safeguards in question must be adequate and sufficient, and must unquestionably and significantly reduce the impacts on data subjects (WP Opinion 6/2014, p. 30).
The controller may consider whether it is possible to introduce additional measures, going beyond compliance with horizontal provisions of the Directive, to help reduce the undue impact of the processing on the data subjects. Additional measures may include, for example, providing an easily workable and accessible mechanism to ensure an unconditional possibility for data subjects to opt-out of the processing. These additional measures may in some (but not all) cases help tip the balance (WP Opinion 6/2014, p. 41).
The Controller should take the following actions in order to comply with the principle of accountability (article 5 § 2 of the GDPR):
- Keep a record of legitimate interests pursued;
- Provide relevant information to the data subject about the legitimate interests pursued;
- Document in a LIA the balancing test between the legitimate interests pursued and the data subject’s rights and / or interests;
- Conduct a DPIA in high risk activities;
- If children’s data are processed, take extra care to make sure their interests are protected;
- Consider safeguards to reduce the impact where possible;
- Consider whether an opt-out to the processing can be offered.