Legitimate interests is the most flexible of the six lawful bases. It is not focused on a particular purpose and therefore gives you more scope to potentially rely on it in many different circumstances.
It may be the most appropriate basis when:
the processing is not required by law but is of a clear benefit to you or others;
there’s a limited privacy impact on the individual;
the individual should reasonably expect you to use their data in that way; and
you cannot, or do not want to, give the individual full upfront control (ie consent) or bother them with disruptive consent requests when they are unlikely to object to the processing.
There may also be occasions when you have a compelling justification for the processing which may mean that a more intrusive impact on the individual can be warranted. However in such cases you need to ensure that you can demonstrate that any impact is justified.
The legitimate interests basis is likely to be most useful where there is either a minimal impact on the individual, or else a compelling justification for the processing.
Can we use it as the default basis for all of our processing?
No. Although legitimate interests is a flexible concept and will often be relevant, it does not apply to everything and you are not be able to use it as the default basis for all your processing.
None of the lawful bases take precedence over the others, and you should always use the one that is most appropriate to the circumstances having considered the purpose of the processing.
You should carefully consider whether legitimate interests is the appropriate lawful basis for the particular processing operation. You should not look to rely on it simply because it may initially seem easier to apply than other lawful bases. It is not always be the easiest option, and in fact places more responsibility on you to justify your processing and any impact on individuals. In effect, it requires a risk assessment based on the specific context and circumstances to demonstrate that processing is appropriate.
What are the benefits of choosing legitimate interests?
Because this basis is not purpose-specific, it is particularly flexible and it may be applicable in a wide range of different situations. It can also give you more ongoing control and security over your long-term processing than consent, where an individual could withdraw their consent at any time. Although remember that you still have to consider objections.
It also promotes a risk-based approach to compliance as you need to think about the impact of your processing on individuals, which can help you identify risks and take appropriate safeguards. This can also support your obligation to ensure ‘data protection by design’, and help you identify when you might need to do a data protection impact assessment (DPIA).
Using this basis for processing that is expected and has a low privacy impact may help you avoid bombarding people with unnecessary consent requests and can help avoid ‘consent fatigue’. It can also, if done properly, be an effective way of protecting the individual’s interests, especially when combined with clear privacy information and an upfront opportunity to opt out.
Are there any disadvantages?
You may find there is more work for you to do to justify the application of legitimate interests compared to some of the other lawful bases. For example, the other lawful bases which incorporate a necessity test specify the purpose of the processing. However, legitimate interests gives you the job of explaining your purpose and justifying why this is in your legitimate interests in addition to you having to demonstrate the necessity of the processing. The onus is also on you to ensure – and demonstrate – that your interests are balanced with the individual.
It may be harder to demonstrate compliance as there is more scope for disagreement over the outcome of the balancing test. You need to be able to clearly justify your decision that the balance actually favours you processing the data.
If you intend to rely on legitimate interests you need to be confident about taking on the responsibility of protecting the interests of the individual. If it is more appropriate to put the onus on individuals to take responsibility for the use of their data, then you may wish to consider whether consent would be a more appropriate lawful basis.
Yes, in some instances public authorities are able to consider using legitimate interests as a lawful basis.
However, if you are a public authority you cannot use legitimate interests as your lawful basis if the processing is in the performance of your tasks as a public authority. The GDPR explains the reason for this exclusion is because it is for the legislature to give public authorities the legal authority to process personal data; ie if you are a public authority you should only be able to process personal data in performance of your tasks if the law has given you authorisation.
Other lawful bases are available to you if you are a public authority and these are likely to be more appropriate for some types of processing that you undertake; eg if you are performing your tasks you should instead consider the ‘public task’ basis.
Whilst you cannot use legitimate interests as a basis when processing for your tasks as a public authority, this does not mean that it can never apply.
This restriction on the use of legitimate interests is about the nature of the task, not the nature of the organisation. This means that if you are a public authority legitimate interests could potentially be available for you to rely on if you can demonstrate that the processing is not part of you performing your tasks as a public authority.
Are there cases when the purpose will constitute a legitimate interest?
The GDPR highlights certain purposes that either ‘constitute’ a legitimate interest or ‘should be regarded as’ a legitimate interest. These are:
network and information security; and
indicating possible criminal acts or threats to public security.
If you are processing for these purposes then you will have met the purpose test and if you can show your processing is necessary (or in some cases ‘strictly’ necessary), then this can make the balancing test more straightforward. Processing for these purposes is a strong factor in the balancing test therefore, depending on the circumstances, your balancing test could be brief.
Whilst processing for these purposes is likely to make it easier to rely on the basis of legitimate interests, you still need to consider your wider compliance with other GDPR obligations and safeguards. For example, Article 9 conditions if you are processing special category data, Article 10 if you are processing criminal offence data, transparency requirements, data minimisation, and any obligation to carry out a DPIA.
Are there cases when legitimate interests is likely to apply?
The GDPR highlights some processing activities where the legitimate interests basis is likely to apply:
processing employee or client data;
direct marketing; or
intra-group administrative transfers.
The recitals say that legitimate interests ‘may’ apply to these processing activities, but this does not mean these activities will always be a legitimate interest or it automatically gives you a lawful basis for processing. You still need to apply the three-part test to demonstrate that it does apply in the particular circumstances.
Can we use legitimate interests for employee or client data?
Yes, in some cases, but it does not always apply and you need to consider the three-part test. Recital 47 of the GDPR says:
“…Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller.”
This means that a legitimate interest could exist where there is a ‘relevant and appropriate relationship’ between you and the individual. For example if the individual is your client or your employee. However it does not say that the legitimate interests basis always applies.
It may be more likely to apply because you are more likely to have an evident legitimate purpose for using this data, and the nature of your relationship means the processing is less likely to be unexpected or unwanted, so the balancing test is likely to be easier.
In some instances it may be that your interests and those of the individual are actually aligned or intertwined. For example you are supporting staff development or dealing with the needs of a customer. However this does not mean that when there’s an appropriate relationship there’s automatically a mutual legitimate interest.
You still need to specify your interests, demonstrate that the processing is necessary and consider the balancing test.
There is likely to be some overlap with personal data processed on the basis of performance of a contract. If the processing is actually necessary for you to perform your side of a contract with the employee or client, then you should consider Article 6(1)(b) instead.
Can we use legitimate interests for intra-group transfers?
Yes, in some cases, but again, it does not automatically cover all such processing and you need to consider the three-part test. Recital 48 says:
“Controllers that are part of a group of undertakings or institutions affiliated to a central body may have a legitimate interest in transmitting personal data within the group of undertakings for internal administrative purposes, including the processing of clients' or employees' personal data. The general principles for the transfer of personal data, within a group of undertakings, to an undertaking located in a third country remain unaffected.”
This indicates that you mayhave a legitimate interest in transmitting personal data to other organisations within your group for administrative purposes. But it does not say this always constitutes a legitimate interest. If you operate within a group of entities and subsidiaries then you may be able to demonstrate that transfers within the group are necessary for a legitimate interest of group administration, but you need to identify your specific purpose, show that the processing of this data is necessary for that purpose, and consider the balancing test.
Company AAA is a subsidiary of Company A. Company AAA does not have a HR department as this function is performed centrally at Company A. Company AAA wants to rely on legitimate interests as their lawful basis for passing employee data to Company A.
Company AAA concludes that it is in its legitimate interests to disclose information about leave, sickness, performance etc to its parent company for efficient group HR administration purposes.
Company AAA however needs to consider whether transferring this data is actually necessary for this purpose, and then balance this against the interests of the individuals, before they can be sure that the processing is lawful on the basis of legitimate interests.
As the data that Company AAA wants to transfer includes special category data, it also needs to identify a special category condition for processing in compliance with Article 9.
It is important to note that whilst you may consider that legitimate interests gives you a lawful basis for the transfer, the rules on transferring personal data to a company in a third country still apply. You still need to ensure that you comply with international transfers requirements.
Can we use legitimate interests for our marketing activities?
Yes, in some cases, but you need to apply the three-part test and ensure that you comply with other marketing laws. Recital 47 of the GDPR says:
“…The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”
This means that direct marketing may be a legitimate interest. However the GDPR does not say that direct marketing always constitutes a legitimate interest, and whether your processing is lawful on the basis of legitimate interests depends on the particular circumstances.
In terms of the purpose test, some forms of marketing may not be legitimate if they do not comply with other legal or ethical standards or with industry codes of practice. However, as long as the marketing is carried out in compliance with e-privacy laws and other legal and industry standards, in most cases it is likely that direct marketing is a legitimate interest.
However this does not automatically mean that all processing for marketing purposes is lawful on this basis. You still need to show that your processing passes the necessity and balancing tests.
You may also need to be more specific about your purposes for some elements of your processing in order to show that processing is necessary and to weigh the benefits in the balancing test. For example, if you use profiling to target your marketing.
It is sometimes suggested that marketing is in the interests of individuals, for example if they receive money-off products or offers that are directly relevant to their needs. This is unlikely however to add much weight to your balancing test, and we recommend you focus primarily on your own interests and avoid undue focus on presumed benefits to customers unless you have very clear evidence of their preferences.
In some cases marketing has the potential to have a significant negative effect on the individual, depending on their personal circumstances. For example, someone known or likely to be in financial difficulties who is regularly targeted with marketing for high interest loans may sign up for these offers and potentially incur further debt.
When looking at the balancing test, you should also consider factors such as:
whether people would expect you to use their details in this way;
the potential nuisance factor of unwanted marketing messages; and
the effect your chosen method and frequency of communication might have on more vulnerable individuals.
Given that individuals have the absolute right to object to direct marketing under Article 21(2), it is more difficult to pass the balancing test if you do not give individuals a clear option to opt out of direct marketing when you initially collect their details (or in your first communication, if the data was not collected directly from the individual). The lack of any proactive opportunity to opt out in advance would arguably contribute to a loss of control over their data and act as an unnecessary barrier to exercising their data protection rights.
A charity wants to send fundraising material by post to individuals who have donated to them in the past but have not previously objected to receiving marketing material from them.
The charity’s purpose of direct marketing to seek funds to further its cause is a legitimate interest.
The charity then looks at whether sending the mailing is necessary for its fundraising purpose. It decides that it is necessary to process contact details for this purpose, and that the mailing is a proportionate way of approaching individuals for donations.
The charity considers the balancing test and takes into account that the nature of the data being processed is names and addresses only, and that it would be reasonable for these individuals to expect that they may receive marketing material by post given their previous relationship.
The charity determines that the impact of a fundraising mailing on these individuals is likely to be minimal however it includes details in the mailing (and each subsequent one) about how individuals can opt out of receiving postal marketing in future.
If you intend to process personal data for the purposes of direct marketing by electronic means (by email, text, automated calls etc) legitimate interests may not always be an appropriate basis for processing. This is because the e-privacy laws on electronic marketing – currently the Privacy and Electronic Communications Regulations (PECR) – require that individuals give their consent to some forms of electronic marketing. It is the GDPR standard of consent that applies, because of the effect of Article 94 of the GDPR.
If e-privacy laws require consent, then processing personal data for electronic direct marketing purposes is unlawful under the GDPR without consent. If you have not got the necessary consent, you cannot rely on legitimate interests instead. You are not able to use legitimate interests to legitimise processing that is unlawful under other legislation.
If you have obtained consent in compliance with e-privacy laws, then in practice consent is also the appropriate lawful basis under the GDPR. Trying to apply legitimate interests when you already have GDPR-compliant consent would be an entirely unnecessary exercise, and would cause confusion for individuals.
If e-privacy laws do not require consent, legitimate interests may well be appropriate. Based on the current legislation (PECR), and depending on the outcome of your three-part test, legitimate interests may be appropriate for ‘solicited’ marketing (ie marketing proactively requested by the individual), or for unsolicited marketing in the following circumstances:
Is legitimate interests likely to be appropriate?
‘Live’ phone calls to TPS/CPTS registered numbers
‘Live’ phone calls to those who have objected to your calls
‘Live’ phone calls where there is no TPS/CTPS registration or objection
Automated phone calls
Emails/text messages to individuals – obtained using ‘soft opt-in’
Emails/text messages to individuals – without ‘soft opt-in’
Emails/text messages to business contacts
You also need to remember that Article 21 specifically gives the data subject the right to object to processing of their personal data for the purposes of direct marketing, and you must inform them of that right. If the data subject objects then this overrides your legitimate interests and you need to stop processing their data for direct marketing purposes.
The EU is in the process of replacing the current e-privacy law (and therefore PECR) with a new ePrivacy Regulation (ePR). However the new ePR is yet to be agreed. The existing PECR rules continue to apply until the ePR is finalised, with some changes for GDPR (chiefly the definition of consent).
Can we use legitimate interests for our business to business contacts?
Yes, it is likely that much of this type of processing will be lawful on the basis of legitimate interests, but there is no absolute rule here and you need to apply the three-part test.
You are still processing personal data when you are using and holding the names and details of your individual contacts at other businesses. You must have a lawful basis to process this personal data.
You can consider using legitimate interests as your lawful basis for such processing. However you need to identify your specific interest underlying the processing and ensure that the processing is actually necessary for that purpose.
Assuming you can meet these first two parts of the three-part test, you also need to consider the balancing test. You may find it is straightforward as business contacts are more likely to reasonably expect the processing of their personal data in a business context, and the processing is less likely to have a significant impact on them personally.
Individuals attend a business seminar and the organiser collects business cards from some of the delegates.
The organiser determines that they have a legitimate interest in networking and the growth of their business. They also decide that collecting delegate contact details from business cards is necessary for this purpose.
Having considered purpose and necessity the organiser then assesses that the balance favours their processing as it is reasonable for delegates handing over business cards to expect that their business contact details will be processed, and the impact on them will be low. The organiser also ensures that it will provide delegates with privacy information including details of their right to object. The organiser subsequently collates the contact details of the delegates and adds them to their business contacts database.
If you intend to process the personal data of your business contacts you need to remember that individuals’ rights, including the right to be informed, still apply.
Can we use legitimate interests to process children’s personal data?
The GDPR does not ban you from relying on legitimate interests as your lawful basis if you are processing children’s personal data. However Article 6(1)(f) specifically highlights children’s personal data as requiring particular protection.
If you choose to rely on legitimate interests for processing children’s personal data you have a responsibility to protect them from risks that they may not fully appreciate and from consequences that they may not envisage. You must ensure their interests are adequately protected and that there are appropriate safeguards.
A legitimate interests assessment may be a useful tool to help you ensure that you properly consider the children’s interests. However, you need to give extra weight to their interests and you need a more compelling interest to justify any potential impact on children on this basis.
Can we use legitimate interests to disclose data to third parties?
You may be able to lawfully disclose data on the basis of legitimate interests. These might be your own interests, or the interests of the third party receiving the data, or a combination of the two.
Your focus is on justifying your disclosure when you carry out the three-part test. Although the third party’s intentions and interests are directly relevant, your focus is on whether the disclosure itself is justified for that purpose. The third party is responsible for ensuring their own further processing is fair and lawful, including carrying out their own three-part test if they plan to rely on legitimate interests as their basis for processing.
What about special category data?
You can still consider legitimate interests as your lawful basis for processing special category data, but even if it applies you also need a special category condition under Article 9. If you are unable to meet a condition you are not able to process the special category data, even if legitimate interests applies under Article 6.
There is no special category condition equivalent to legitimate interests, as the conditions are designed to be more specific to the purpose of the processing. But there are ten special category conditions to choose from in the GDPR (supplemented by Schedule 1 of the Data Protection Bill). You should consider whether any of these conditions fit the circumstances.
If you are processing special category data, in most cases the sensitive nature of this data means there are greater risks to the interests and rights or freedoms of the individual. Therefore you may need to ensure that you put in place more robust safeguards to mitigate any impact or risks to the individual as a result of your processing, or that there is a more compelling justification.
You are also more likely to need to consider carrying out a DPIA.
When should we avoid choosing legitimate interests?
There are a number of factors which might indicate that legitimate interests is unlikely to be an appropriate lawful basis for your processing. For example, you should avoid choosing legitimate interests if:
you are a public authority and the processing is to perform your tasks as a public authority;
your processing does not comply with broader legal, ethical or industry standards;
you don’t have a clear purpose and are keeping the data ‘just in case’ (in this case your processing is not compliant on any basis);
you could achieve your end result without using personal data;
you don’t want to take full responsibility for protecting the interests of the individual, or would prefer to put the onus onto the individual;
you intend to use the personal data in ways people are not aware of and do not expect (unless you have a more compelling reason that justifies the unexpected nature of the processing);
there’s a risk of significant harm (unless you have a more compelling reason that justifies the impact);
you’re not confident on the outcome of the balancing test;
you would be embarrassed by any negative publicity about how you intend to use the data; or
another lawful basis more obviously applies to a particular purpose. Although in theory more than one lawful basis may apply to your processing, in practice legitimate interests is unlikely to be appropriate for any processing purpose where another basis objectively applies.
A retailer operates a loyalty scheme. Individuals sign up in order to be part of the scheme and collect loyalty points, providing personal data in return for special offers. The retailer will be processing personal data for different purposes and wants to use legitimate interests as their lawful basis.
The purposes for processing the personal data are:
to calculate the amount of vouchers and post vouchers to the individual;
to profile the interests of individuals to post and email targeted discounts;
for data analytics so it can improve its products and services.
The terms and conditions of the loyalty scheme amount to a contract. The scope of the services will dictate what processing can be said to be ‘necessary for the contract’.
Purpose 1. is a core service, so processing for that purpose is necessary for the contract. As the processing is objectively lawful on the basis of contract, legitimate interests would not be appropriate. This is because basing the processing on legitimate interests over contract means that individuals would be deprived of their data portability rights.
Purpose 2. is not a core service, and is actually direct marketing to which the individual has the right to object. Processing for this purpose is not necessary for the contract. The retailer may choose to consider consent or legitimate interests for this processing.
Purpose 3. again is not a core service and so is not necessary for the contract. The retailer may choose to consider consent or legitimate interests for this processing. An alternative approach is for this personal data to be anonymised before it is used for data analytics.
What are the alternatives?
You must have a lawful basis in order to process personal data. Legitimate interests is one of the six lawful bases but there are alternatives. The other lawful bases are in brief:
Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
Contract: the processing is necessary for a contract with the individual, or because they have asked you to take specific steps before entering into a contract.
Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
Vital interests: the processing is necessary to protect someone’s life.
Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
You should always choose the basis that is most appropriate to the particular circumstances.