About this detailed guidance

These pages sit alongside our Guide to the GDPR and provide more detailed guidance for UK organisations on legitimate interests under the GDPR.

This guidance will help you to decide when to rely on legitimate interests as your basis for processing personal data and when to look at alternatives. It explains when using legitimate interests as a lawful basis is appropriate, what it means, and how to decide whether it applies to your particular processing operation.

The concept of ‘legitimate interests’ also appears in connection with international transfers (Article 49). However this guidance focuses on legitimate interests in its role as a lawful basis in Article 6.

For an introduction to the key themes and provisions of the GDPR, you should refer back to the guide. You can navigate back to the guide at any time using the link at the top of this page. Links to other relevant guidance and sources of further information are also provided throughout.

When downloading this guidance, the corresponding content from the Guide to the GDPR will also be included so you will have all the relevant information on this topic.

Contents

What’s new under the GDPR?

What is the ‘legitimate interests’ basis?

Is this a big change?

How is the wording different?

What else is new?

What are the key steps to take to prepare for the GDPR?

Can we move to legitimate interests from a different basis under the 1998 Act?

What does Article 6(1)(f) say about legitimate interests?

What is the three-part test?

What counts as a ‘legitimate interest’?

When is processing ‘necessary’?

What is the balancing test?

What are the individual’s ‘interests, rights and freedoms’?

What is the importance of reasonable expectations?

When do individuals’ interests override ours?

When can we rely on legitimate interests?

How do we apply legitimate interests in practice?

When might legitimate interests be appropriate?

Can we use it as the default basis for all of our processing?

What are the benefits of choosing legitimate interests?

Are there any disadvantages?

Can public authorities use legitimate interests?

Are there cases when the purpose will constitute a legitimate interest?

Are there cases when legitimate interests is likely to apply?

Can we use legitimate interests for employee or client data?

Can we use legitimate interests for intra-group transfers?

Can we use legitimate interests for our marketing activities?

Can we use legitimate interests for our business to business contacts?

Can we use legitimate interests to process children’s personal data?

Can we use legitimate interests to disclose data to third parties?

What about special category data?

When should we avoid choosing legitimate interests?

What are the alternatives?

What do we need to do in practice?

Why do we need to do an LIA?

What’s the process for an LIA?

(1) How do we do the purpose test?

(2) How do we do the necessity test?

(3) How do we do the balancing test?

How do we decide the outcome?

What happens next?

How does this tie in to DPIAs?

 

 

 

What else do we need to consider? 

 

What do we need to tell people?

What if our purposes change?

What rights will individuals have?