Under Article 6 1(f)
‘processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of Personal Data, in particular where the data subject is a child.’ Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.’
Under Recital 47
‘The legitimate interests of a controller, including those of a controller to which the Personal Data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller.’
Under the Data Protection Act and GDPR, there are six lawful circumstances that allow you to process personal data. These are consent, contractual, legal obligation, vital interest, public task and legitimate interest.
In certain circumstances, you may have a genuine reason and necessity to process personal data without the consent of the data subject. This is known as legitimate interest. But before you go getting too excited, there are three requirements that an organisation must meet before it can claim it is processing data using the legitimate interest condition.
Firstly, the organisation must be able to demonstrate a need to process this information, as well as the need of the third party that would be in receipt of the data.
The Information Commissioner‘s Office gives an example of a finance company needing to track down a customer who has defaulted on their payment and moved away.
The debt collection agency needs to have the customer’s data in order to recover the debt.
The interests of both parties should be balanced. Although it is not necessary for both parties to be completely in harmony.
The Information Commissioner‘s Office says that ‘the legitimate interests condition will not be met if the processing is unwarranted because of its prejudicial effect on the rights and freedoms, or legitimate interests, of the individual’. But it also says that if there is a serious mismatch between competing interests, the individual’s legitimate interests will come first’.
So in the example of the debt collection, the agency being given data of the evader would be seen as reasonable, therefore would be acceptable under legitimate interest.
Once the above points have been satisfied, the organisation must be able to demonstrate that the processing of this data is fair, lawful and complies with Data Protection principles. The information must be accurate and up to date. They should also ensure that only the relevant data is given in order to carry out the task in hand.
Using legitimate interest with the right to erasure
The data subject will still have the right to object to their data being used without their consent. If the processing of that data could not be justified as above, or if that data is being used for a new purpose, then the subject could exercise their right to be forgotten.
Which industries are most likely to use legitimate interest?
As you start to become more familiar with legitimate interest, you will see that almost any industry could have a case for using the condition. We should, therefore, look at some of the scenarios that could lead to this outcome.
Ethical purposes – This will most likely be used by charities as it could be argued that sharing data would be in the interest of the individual in need as well as the charity.
Suppression – If a data subject requests their removal from a marketing database, the organisation can hold limited information on them to ensure their request is carried out.
Personalisation – This could involve a website using analytics to predict what a customer will want to purchase based on their browsing history.
Human resources – An employer processes data to allow their employees benefits like health insurance and childcare vouchers.
Health trends – Scientific researchers may need personal data to analyse seasonal health problems, like the spread of flu and other diseases.
Ready to take action with GDPR?
Julia Heron is the ISMS Solutions Specialist for ISMS.online and is responsible for customer adoption and success.