- Is this a big change?
- How is the wording different?
- What else is new?
- What are the key steps to take to prepare for the GDPR?
- Can we move to legitimate interests from a different basis under the 1998 Act?
No. The role of legitimate interests as a potential lawful basis (or condition) for processing is not new. Legitimate interests was one of the conditions for processing under the 1998 Act and the wording of this provision is similar:
“The processing is necessary for the purposes of legitimate interests pursued by the data controller…
…or by the third party or parties to whom the data are disclosed, …
…except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.”
“processing is necessary for the purposes of the legitimate interests pursued by the controller…
…or by a third party, …
…except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
There are some differences in wording, but the three key elements of the concept of legitimate interests remain the same:
- a legitimate interest;
- a necessity test;
- a balance with individuals’ interests, rights and freedoms.
The main changes instead arise out of the way legitimate interests interacts with new accountability and transparency requirements. There is also a bigger change for public authorities, who are more restricted in when they can rely on legitimate interests.
While the key elements remain the same, there are some small changes to the detail.
Legitimate interests that are relevant are no longer limited to your own interests or those of third parties to whom you disclose the data. You can now consider the interests of any third party, including the wider benefits to society.
Under the 1998 Act, the processing impact had to be unwarranted due to prejudice to the individual’s interests before it would override your legitimate interests, ie the provision implied a focus on demonstrable harm. However, prejudice is not a term used in the GDPR version of the provision, and it’s clear that this is intended to be wider than a pure harm-based assessment. For example, Recital 47 indicates that if the individual does not reasonably expect the processing, their rights may override your legitimate interests.
The provision also highlights children’s data as requiring special consideration. If your processing includes children’s personal data, you must give particular weight to protecting their data and ensure that you properly consider their interests and their rights and freedoms. For further information see the section on children’s personal data and legitimate interests.
The GDPR brings in new accountability and transparency requirements.
Under the new accountability principle you need to be able to show that you have a lawful basis for each processing operation. If you are relying on legitimate interests, you need to document your assessment of how it applies to the particular processing, and ensure that you can justify your decision if necessary.
As the application of legitimate interests is not always self-evident, documenting your assessment of legitimate interests is particularly important in helping you to demonstrate compliance under the accountability principle.
Under transparency requirements you must inform individuals upfront which lawful basis you are relying on. If you are relying on legitimate interests as your basis, you must also tell individuals what these legitimate interests are. See the section on what do we need to tell people for further information.
The ability of public authorities to rely on legitimate interests is more limited under the GDPR – for more information see the section on can public authorities use legitimate interests.