What else do we need to consider?

At a glance

• Recognised legitimate interest is a lawful basis not an exemption. You must still comply with the rest of the UK GDPR and DPA even if this basis applies.

In detail

• What other data protection obligations apply?
• What do we need to tell people?
• Can people object if we use recognised legitimate interest?
• What happens if our purpose changes?

What other data protection obligations apply?

Recognised legitimate interest is a lawful basis and not an exemption. It does not disapply other provisions of data protection law. If you can satisfy the requirements of one of its conditions, you are complying with the requirement to have a lawful basis that is part of the lawfulness principle of the UK GDPR. 

But even if you can do this, you must also meet your other obligations under data protection law. For example, complying with the other data protection principles and enabling people’s rights.

However, the right to data portability doesn’t apply if you’re relying on recognised legitimate interest. This means you’re not required to comply with a portability request from people whose personal information you’re handling under this basis. But if you’re relying on a different lawful basis to process that same information for another purpose, this right may apply.  

What do we need to tell people?

Transparency is a key principle of data protection law. People have the right to be informed about the use of their personal information. The UK GDPR specifies what information you must provide to people as a minimum (eg in your privacy information). 

In order to comply with the right to be informed, you must tell people: 

• which lawful basis you’re relying on to handle their personal information; and
• what your purpose is for processing their information (unless an exemption applies). 

Because the recognised legitimate interest conditions are purposes for processing, you must say which condition you are using, as well as stating that your lawful basis is recognised legitimate interest. For example, you could provide this information in the privacy information you give to people.

In some circumstances, you won’t know in advance that you need to use personal information for a purpose covered by the recognised legitimate interest conditions. For example, you may find you need to share information in response to an emergency where circumstances are changing quickly, and your usual privacy information doesn’t mention recognised legitimate interest or the condition you’re using. 

You could consider having separate privacy information prepared in advance and ready for a situation where you need to rely on recognised legitimate interest. 

In some limited cases, you might be able to rely on one of the exemptions to the right to be informed. This means you don’t need to tell people (some of these exemptions are built into this right and others are in the DPA). For example, there are DPA exemptions covering purposes such as national security and crime.

Can people object if we use recognised legitimate interest?

People have the right under the UK GDPR to object to the use of their personal information. This right applies if you’re relying on the recognised legitimate interest basis to handle their information. 

However, this right is not absolute so there may be occasions when you don’t have to stop your processing (if the objection is about direct marketing, it is an absolute right).

If you receive an objection from someone whose information you are using, you must stop unless you can show you have compelling legitimate grounds that override the person’s interests, rights and freedoms.  

What happens if our purpose changes?

If your purpose for using the personal information changes, you can only use it if your new purpose is compatible with your original purpose. The UK GDPR lists the circumstances where you can treat the processing as compatible. This includes when the person has given their consent or the new purpose is for research. You must be able to satisfy the UK GDPR’s purpose limitation requirements before you start using the personal information for the new purpose. 

The UK GDPR also contains a list of nine purposes that are compatible with the original purpose for processing. Some of these purposes are the same or similar to the recognised legitimate interest conditions. For example, these cover processing for crime, emergencies and safeguarding purposes.

However, you still must ensure you have a lawful basis, even if your new purpose is compatible with your original one. If none of the recognised legitimate interest conditions fit your new purpose, you must choose a different lawful basis.