Tricia Higgins
Many entities are hoping to rely on “legitimate interests” as a legal ground for the processing of personal data. However, while legitimate interests may well be the most flexible ground for processing personal data, it’s not necessarily the easiest. Here are some of our thoughts on how to approach processing on the basis of legitimate interests and the importance of carefully documenting your approach.
As a starter, it’s crucial to remember that the legitimate interests ground calls for a balancing test and the outcome of this test determines whether or not you can rely on legitimate interests as a legal ground for processing. This test is frequently referred to as a Legitimate Interest Assessment (LIA). You will also need to inform data subjects (e.g. the people whose data you’re processing) of your reasons for believing that you can process their data on the basis of legitimate interests. Finally, you must carefully document your LIA.
It’s also important to remember that not all processing can be based on legitimate interests. In particular, as discussed in our recent article (here), sometimes you will need consent to process personal data for e-marketing purposes. In addition, you cannot process special categories of personal data, on the basis of legitimate interests. Public authorities are also excluded from processing on the basis of legitimate interests when performing their tasks.
When carrying out an LIA, you need to answer the following questions:
There are no shortcuts here. You need to be able to answer each of these questions. You also need to remember that you’re not necessarily balancing two easily comparable things. In fact, you may need to undertake a complex assessment of a number of diverse factors.
Legitimate interests are likely to come in all shapes and sizes. It may be an interest of yours, or that of a third party. Some interests will be relatively trivial, some extremely compelling. The more compelling the interest identified, the more likely it will be to outweigh the significance of its impact on the data subject’s interests/rights.
Legitimate interests can include commercial interests, individual interests or broader societal benefits. Examples of legitimate interests set out in the GDPR, include processing personal data for direct marketing purposes, to prevent fraud, in the context of intragroup transfers and for information security. However, there is any number of other reasons why an entity may have a legitimate interest in processing personal data. Just remember, to be a legitimate interest, an interest must be a) lawful and b) represent a real and present interest (ie, not speculative).
Here are some questions that you should consider when identifying whether there is a legitimate interest at play:
It’s not enough to identify a legitimate interest; you must also need to process the data for the purpose of that interest. Consider whether:
Here you need to consider all the potential consequences of the data processing for the data subject, including both negative and positive consequences. Relevant elements include the nature of the personal data, the way the information is being processed, the data subject’s reasonable expectations, your status and that of the data subject. You should be able to answer the following questions:
All data processing will impact on the rights and interests of data subjects to some degree including, in particular, their right to privacy. Data subjects also have a right to the protection of their personal data, and not to be unduly monitored. However, in some instances processing will have minimal impacts on these rights. Generally, processing that is likely to have more than minimal, negative or unpredictable consequences for the data subject is less likely to survive the balancing test.
Once you have your answers to the above questions, the final step in your legitimate interest assessment is to strike the balance between what is necessary for your interests (or those of third parties) and the data subject’s interests or fundamental rights and freedoms.
Generally, the more compelling the legitimate interest that you are pursuing, the more likely it is that interest will outweigh the impact of the data processing on the data subject. Conversely, more trivial legitimate interests are less likely to outweigh the data subject’s interests or fundamental rights.
Overall, the fact that the processing will have a negative impact on the data subject is not necessarily fatal. The real question is whether the processing will have a disproportionate impact on the data subject. Moreover, if your provisional assessment of the balance suggests that the impact may be disproportionate, you should then go on to consider whether there is any way for you to minimise that impact through the use of additional safeguards. These could include, for example, data minimisation, the use of privacy-enhancing technologies, increased transparency, and/or an easily workable and accessible mechanism allowing the data subject to opt out of the data processing.
If your LIA identifies significant risks to the rights and freedoms of data subjects, you may need to carry out a comprehensive Data Protection Impact Assessment to assess the risk and any potential mitigants in more detail.
You should keep your LIA under review and repeat the assessment if new information comes to light, or if circumstances change. Just because you have a legitimate interest in processing personal data now, does not mean that you will always be able to process on this basis.
As set out in our previous article, if you are relying on the legitimate interest ground to process personal data, you need to say this in your privacy notice and explain what these interests are. You must also tell data subjects that they have the right to object to the processing and present this information clearly and separately from other information.
Remember, if you are relying on legitimate interests for direct marketing, the right to object is absolute and you must stop processing when the data subject objects. For other purposes, you must stop unless you can show that your legitimate interests are compelling enough to override the data subject’s rights.
It is important that you document your LIA so that you have a record of why you think legitimate interests are an appropriate basis for processing the personal data. There is no prescribed format for documenting an LIA but you will need to be able to show that you have proper decision-making processes in place and that you can justify the processing.
What is required will vary according to the interests involved and you should adapt your documentation according to the nature and context of the processing. For example, where the data processing is likely to have a significant impact on the data subject’s interests or fundamental rights your documentation should provide comprehensive information on how you carried out the LIA and your reasons for deciding that you are justified in proceeding with the processing. If you considered carrying out a DPIA, but decided against it, you should also document this.
If you want more information on legitimate interests, take a look at these links:
Sign-up to receive news and information from Fort Privacy
Fort Privacy processes your personal data in order to respond to your query and provide you with information about our products and services. Please see our Data Protection Statement for further information
As a technologist, I am both excited and appalled at the developments in AI and it seems from various surveys that I am not alone. My greatest wish is that we can harness its power for good while dampening its power for misuse. It is early days yet – let’s hope this wish comes true!
Everyone loves a quiz so we decided we would kick-off the new year with a bit of tongue-in-cheek fun.
Continuing the tradition of the Fort Privacy Christmas blog this year we are thinking about Santa and AI. Well, we need to keep these articles topical after all!
