What Does ‘Legitimate Interest’ Mean Under GDPR?
When you consider the kind of data that is collected across different organisations, it is obvious why it is so important that data is protected. Addresses, medical history, date of birth and credit history are just some of the types of personal data that are stored and protected under GDPR and measures are put in place to prevent data leaks.
In this article, we will cover:
- What is legitimate interest under the GDPR?
- What counts as legitimate interest?
- What does not count as legitimate interest?
- Is legitimate interest for cookies different?
- Legitimate interest vs consent
- How to conduct a Legitimate interest assessment (LIA)
What is legitimate interest under the GDPR?
When organisations hold personal information, they are required to process personal data fairly, lawfully and transparently. An organisation has a legitimate interest when data processing occurs within a client relationship, when personal data is processed for marketing purposes, to prevent fraud or to ensure IT systems' network and information security.
However, legitimate interest is one of the six lawful bases for processing personal data under GDPR. This means that an organisation can process personal data if it can demonstrate that there is a legitimate reason to do so.
Legitimate interest can be applied when;
- The processing isn’t required by law, but there is a clear benefit to the data subject and the organisation. Legitimate interests are about balancing the interests of the data subject and the organisation.
- There is little risk of the processing infringing on data subjects’ privacy
- The data subject should reasonably expect their data to be used in that way
What counts as a legitimate interest?
Legitimate interest can be applied when the need to process information is necessary to perform an action in the client’s interest, or where it overrides the individual’s rights and interests. For example
- Providing customers with information relating to a recent order or enquiry (such as updates on an order)
- Making customers aware of important information which could impact on them, such as changes to terms and conditions, or notifying them about a data breach
- Saving a cookie because the user has ticked a “Remember by login” box
An example of this would be:
A digital marketing company manages a SME’s website. They feel that the SME would also benefit from having their PPC managed. They then make the decision to send them an ad-hoc email regarding their PPC services. They have not asked for the SME’s consent to send them a marketing email but they have a legitimate reason to do so. This is a legitimate interest. However, what they cannot do under legitimate interests, is add them to a mailing list (such as a newsletter mailing list) which results in repeated communication without their consent.
When applying legitimate interest, it is important to have a clear outcome in mind and be specific about your purpose such as, “We have a legitimate interest in marketing additional services to existing customers to improve their sales and overall customer experience”. You must think about what you want to achieve with that particular processing operation.
The legitimate interest three part test
The ICO calls this the three-part test and it is used to determine whether or not you can apply legitimate interest. It includes:
The purpose test: to determine if your purpose for processing data is legitimate
The necessity test: to make sure that processing is necessary for said purpose
The balance test: to make sure that the individual’s rights or interests don’t override your legitimate interest
The ICO has created a legitimate interest checklist to help you decide if legitimate interest can be applied to a proposed processing operation. If one or more do not apply, then legitimate interest cannot be used.
What does not count as legitimate interest?
There are occasions where the individual’s interests come first and in those instances, legitimate interest cannot be applied. Some examples of this include:
- When the individual would not reasonably expect the processing
- If the individual would be likely to object to the processing
- If the processing would have a significant impact on the individual
- If the processing would prevent them from exercising their rights
- If the data you are processing is particularly sensitive, such as children’s’ data, criminal offence data or special category data
These will, however, depend on the individual circumstances of each case. GDPR offers a limited amount of information about what does not count as legitimate interest and it is the most flexible of the six lawful bases for processing personal data.
Is legitimate interest for cookies different?
Cookies are a small piece of code which are important to the operation of websites. They can have a variety of purposes ranging from allowing users to set preferences such as remembering their login credentials, to assisting in the tracking of users for marketing or aiding website analytics.
There are also different types of cookies.
- 1st party cookies
- 3rd party cookies
- Session cookies
- Persistent cookies
Only cookies relying on the 'strictly necessary' exemption can load the cookie onto a user device on the legal basis of legitimate interests; all other cookies must rely on consent.
An example of a strictly necessary cookie may be a session or persistent cookie which an eCommerce site requires in order to remember which items a user has placed into their basket, or a persistent cookie which is placed if you tick “remember my login details” on a login form.
This has been tested in the UK and European courts recently. Any site still relying on legitimate interest for 3rd party cookies that are not strictly necessary is in breach of PECR (Privacy and Electronic Communications Regulations).
So is the use of cookies different when it comes to legitimate interest? No. Legitimate interest is the overarching principle and cookies are just a single example of where considerations need to be applied.
If you’d like to know more, checkout our training course on cookie compliance for websites and apps.
Legitimate interest vs consent
Legitimate interest is when you have a legitimate reason to process someone’s data. Consent is when they give you permission to do so. If an individual gives consent, then you are free to process their personal data within the scope of the aspect they have consented to. For example, they may consent for you to place cookies for remembering their preferences, but not cookies for retargeting them for marketing purposes. Similarly, some users will be happy for you to use cookies for site analytics/statistics purposes, but it’s important to know that you cannot install cookies by default unless they are classed as “essential” cookies. Essential cookies are required for the correct operation of the site, such as holding information about what items a user has placed in their shopping cart in order to process their order.
As a result, when considering legitimate interest for cookies, it’s important to have a detailed list and understanding of what each cookie does, what category type it may fall into, whether it’s a first or third party cookie and ultimately whether legitimate interest can be used as a basis for installing the cookie or whether you will require the user’s consent.
How to conduct a legitimate interest assessment (LIA)
The ICO calls this the three-part test and it is used to determine whether or not you can apply legitimate interest. It includes:
- The purpose test: to determine if your purpose for processing data is legitimate
- The necessity test: to make sure that processing is necessary for said purpose
- The balance test: to make sure that the individual’s rights or interests don’t override your legitimate interest
