Many entities are hoping to rely on “legitimate interests” as a legal ground for the processing of personal data. However, while legitimate interests may well be the most flexible ground for processing personal data, it’s not necessarily the easiest. Here are some of our thoughts on how to approach processing on the basis of legitimate interests and the importance of carefully documenting your approach.
As a starter, it’s crucial to remember that the legitimate interests ground calls for a balancing test and the outcome of this test determines whether or not you can rely on legitimate interests as a legal ground for processing. This test is frequently referred to as a Legitimate Interest Assessment (LIA). You will also need to inform data subjects (e.g. the people whose data you’re processing) of your reasons for believing that you can process their data on the basis of legitimate interests. Finally, you must carefully document your LIA.
It’s also important to remember that not all processing can be based on legitimate interests. In particular, as discussed in our recent article (here), sometimes you will need consent to process personal data for e-marketing purposes. In addition, you cannot process special categories of personal data, on the basis of legitimate interests. Public authorities are also excluded from processing on the basis of legitimate interests when performing their tasks.
Carrying out a Legitimate Interest Assessment (LIA)
When carrying out an LIA, you need to answer the following questions:
- what are the legitimate interests in question?
- what processing do you need to carry out for the purpose of those legitimate interests?
- what impact will the processing have on the data subjects’ interests or fundamental rights and freedoms?
There are no shortcuts here. You need to be able to answer each of these questions. You also need to remember that you’re not necessarily balancing two easily comparable things. In fact, you may need to undertake a complex assessment of a number of diverse factors.
What Legitimate Interests?
Legitimate interests are likely to come in all shapes and sizes. It may be an interest of yours, or that of a third party. Some interests will be relatively trivial, some extremely compelling. The more compelling the interest identified, the more likely it will be to outweigh the significance of its impact on the data subject’s interests/rights.
Legitimate interests can include commercial interests, individual interests or broader societal benefits. Examples of legitimate interests set out in the GDPR, include processing personal data for direct marketing purposes, to prevent fraud, in the context of intragroup transfers and for information security. However, there is any number of other reasons why an entity may have a legitimate interest in processing personal data. Just remember, to be a legitimate interest, an interest must be a) lawful and b) represent a real and present interest (ie, not speculative).
Here are some questions that you should consider when identifying whether there is a legitimate interest at play:
- Why do you want to process the data – what are you trying to achieve?
- Who benefits from the processing and in what way?
- Are there any wider public benefits to the processing?
- How important are those benefits?
- What would be the consequences if you couldn’t process the personal data?
- Would your use of the data be unethical or unlawful in any way?
Do you need to process the personal data?
It’s not enough to identify a legitimate interest; you must also need to process the data for the purpose of that interest. Consider whether:
- the processing will actually help further your identified legitimate interest;
- it is a reasonable way to go about furthering this interest; and
- there is a less intrusive way of achieving the same result.
What impact will the processing have on the data subject’s interests or fundamental rights and freedoms?
Here you need to consider all the potential consequences of the data processing for the data subject, including both negative and positive consequences. Relevant elements include the nature of the personal data, the way the information is being processed, the data subject’s reasonable expectations, your status and that of the data subject. You should be able to answer the following questions:
- What is the nature of your relationship with the data subject and would he or she expect you to process his or her data in this way?
- Is any of the data particularly sensitive or private? Remember you cannot process special categories of personal data on the ground of legitimate interests!
- Are you happy to explain to the data subject your reasons for processing his or her personal data?
- Is the data subject likely to object to the processing or find it intrusive?
- What is the possible impact of the processing on the data subject, including any potential risks (e.g. of a data breach) and the likelihood and potential consequences of those risks materialising?
- Are you processing children’s data?
- Are any of the data subjects vulnerable in any other way?
All data processing will impact on the rights and interests of data subjects to some degree including, in particular, their right to privacy. Data subjects also have a right to the protection of their personal data, and not to be unduly monitored. However, in some instances processing will have minimal impacts on these rights. Generally, processing that is likely to have more than minimal, negative or unpredictable consequences for the data subject is less likely to survive the balancing test.
Striking the Balance
Once you have your answers to the above questions, the final step in your legitimate interest assessment is to strike the balance between what is necessary for your interests (or those of third parties) and the data subject’s interests or fundamental rights and freedoms.
Generally, the more compelling the legitimate interest that you are pursuing, the more likely it is that interest will outweigh the impact of the data processing on the data subject. Conversely, more trivial legitimate interests are less likely to outweigh the data subject’s interests or fundamental rights.
Overall, the fact that the processing will have a negative impact on the data subject is not necessarily fatal. The real question is whether the processing will have a disproportionate impact on the data subject. Moreover, if your provisional assessment of the balance suggests that the impact may be disproportionate, you should then go on to consider whether there is any way for you to minimise that impact through the use of additional safeguards. These could include, for example, data minimisation, the use of privacy-enhancing technologies, increased transparency, and/or an easily workable and accessible mechanism allowing the data subject to opt out of the data processing.
If your LIA identifies significant risks to the rights and freedoms of data subjects, you may need to carry out a comprehensive Data Protection Impact Assessment to assess the risk and any potential mitigants in more detail.
You should keep your LIA under review and repeat the assessment if new information comes to light, or if circumstances change. Just because you have a legitimate interest in processing personal data now, does not mean that you will always be able to process on this basis.
Remember Your Privacy Notice
As set out in our previous article, if you are relying on the legitimate interest ground to process personal data, you need to say this in your privacy notice and explain what these interests are. You must also tell data subjects that they have the right to object to the processing and present this information clearly and separately from other information.
Remember, if you are relying on legitimate interests for direct marketing, the right to object is absolute and you must stop processing when the data subject objects. For other purposes, you must stop unless you can show that your legitimate interests are compelling enough to override the data subject’s rights.
Document your LIA
It is important that you document your LIA so that you have a record of why you think legitimate interests are an appropriate basis for processing the personal data. There is no prescribed format for documenting an LIA but you will need to be able to show that you have proper decision-making processes in place and that you can justify the processing.
What is required will vary according to the interests involved and you should adapt your documentation according to the nature and context of the processing. For example, where the data processing is likely to have a significant impact on the data subject’s interests or fundamental rights your documentation should provide comprehensive information on how you carried out the LIA and your reasons for deciding that you are justified in proceeding with the processing. If you considered carrying out a DPIA, but decided against it, you should also document this.
If you want more information on legitimate interests, take a look at these links:
- Legitimate Interests, Information Commissioner’s Office;
- Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC, Article 29 Working Party;
- Guidance on the use of Legitimate Interests under the EU General Data Protection Regulation, Data Protection Network.