GDPR: What is legitimate interest?

Book a demo

smiling,indian,businessman,working,on,laptop,in,modern,office,lobby

Under Article 6 1(f)

‘Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of Personal Data, in particular where the data subject is a child.’ Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.’

Under Recital 47

‘The legitimate interests of a controller, including those of a controller to which the Personal Data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller.’ Under the Data Protection Act and GDPR, there are six lawful circumstances that allow you to process personal data. These are consent, contractual, legal obligation, vital interest, public task and legitimate interest.

In certain circumstances, you may have a genuine reason and necessity to process personal data without the consent of the data subject. This is known as legitimate interest. But before you go getting too excited, there are three requirements that an organisation must meet before it can claim it is processing data using the legitimate interest condition.

The need

Firstly, the organisation must be able to demonstrate a need to process this information, as well as the need of the third party that would be in receipt of the data.

The Information Commissioner‘s Office gives an example of a finance company needing to track down a customer who has defaulted on their payment and moved away.

The debt collection agency needs to have the customer’s data in order to recover the debt.

The balance

The interests of both parties should be balanced. Although it is not necessary for both parties to be completely in harmony.

The Information Commissioner‘s Office says that ‘the legitimate interests condition will not be met if the processing is unwarranted because of its prejudicial effect on the rights and freedoms, or legitimate interests, of the individual’. But it also says that if there is a serious mismatch between competing interests, the individual’s legitimate interests will come first’.

So in the example of the debt collection, the agency being given data of the evader would be seen as reasonable, therefore would be acceptable under legitimate interest.

The law

Once the above points have been satisfied, the organisation must be able to demonstrate that the processing of this data is fair, lawful and complies with Data Protection principles. The information must be accurate and up to date. They should also ensure that only the relevant data is given in order to carry out the task in hand.

ISMS.online will save you time and money towards ISO 27001 certification and make it simple to maintain.

Daniel Clements

Information Security Manager, Honeysuckle Health

Book a demo

We can’t think of any company whose service can hold a candle to ISMS.online.
Vivian Kroner
ISO 27001, 27701 and GDPR lead implementer Aperian Global
100% of our users pass certification first time
Book your demo

Using legitimate interest with the right to erasure

The data subject will still have the right to object to their data being used without their consent. If the processing of that data could not be justified as above, or if that data is being used for a new purpose, then the subject could exercise their right to be forgotten.

Which industries are most likely to use legitimate interest?

As you start to become more familiar with legitimate interest, you will see that almost any industry could have a case for using the condition. We should, therefore, look at some of the scenarios that could lead to this outcome.

Ethical purposes – This will most likely be used by charities as it could be argued that sharing data would be in the interest of the individual in need as well as the charity.

Suppression – If a data subject requests their removal from a marketing database, the organisation can hold limited information on them to ensure their request is carried out.

Personalisation – This could involve a website using analytics to predict what a customer will want to purchase based on their browsing history.

Human resources – An employer processes data to allow their employees benefits like health insurance and childcare vouchers.

Health trends – Scientific researchers may need personal data to analyse seasonal health problems, like the spread of flu and other diseases.

See our platform features in action

A tailored hands-on session based on your needs and goals

Book your demo

100% of our users achieve ISO 27001 certification first time

Start your journey today
See how we can help you

ISMS.online now supports ISO 42001 - the world's first AI Management System. Click to find out more