What is the 'legitimate interests' basis?
In detail
- What does the UK GDPR say about the legitimate interests lawful basis?
- What is the three-part test?
- What counts as a ‘legitimate interest’?
- When is using personal information ‘necessary’?
- What is the balancing test?
- What are the person’s ‘interests, rights and freedoms’?
- What is the importance of reasonable expectations?
- When do people’s interests override ours?
- What’s the difference between legitimate interests and the recognised legitimate interest basis?
What does the UK GDPR say about the legitimate interests lawful basis?
Legitimate interests is one of the seven lawful bases for handling personal information. You must have a lawful basis to process personal information in line with the ‘lawfulness, fairness and transparency’ principle.
Article 6(1)(f) of the UK GDPR says:
1. Processing shall be lawful only if and to the extent that at least one of the following applies:
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Legitimate interests is different to the other lawful bases because it:
- isn’t centred around a particular purpose, for example:
- performing a contract with that person;
- complying with a legal obligation;
- protecting vital interests; or
- carrying out a public task;
- doesn’t contain a list of the purposes it applies to (like recognised legitimate interest does); and
- isn’t a use of personal information that the person has specifically agreed to (consent).
Legitimate interests is more flexible and, in principle, may apply to any use of personal information for any reasonable purpose. But you’re responsible for balancing your legitimate interests and the necessity for using personal information against the interests, rights and freedoms of people whose information you want to use. This is different to the other lawful bases, which presume that your interests and those of the person are already balanced.
The legitimate interests lawful basis has three key elements. We call this the three-part test.
Further reading – ICO guidance
What is the three-part test?
The three-part test isn’t specifically set out in the UK GDPR, but each element is present in the legitimate interests provision. It breaks down into three parts:
processing is necessary for…
…the purposes of the legitimate interests pursued by the controller or by a third party,…
…except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
The test comes from court rulings that interpret the requirements of legitimate interests.
It makes sense to apply this as a test in the following order:
- Purpose test: Do you have a legitimate interest for using the personal information?
- Necessity test: Is your use of personal information necessary for that purpose?
- Balancing test: Do the person’s interests, rights or freedoms override the legitimate interest you’ve identified?
You must be able to satisfy all three parts of the test before you start using the information. It’s not enough for you to simply say that using personal information is in your legitimate interests.
Further reading
The concept of a three-part test comes from the Court of Justice of the European Union in the Rigas case (C-13/16, 4 May 2017). This was about legitimate interests in an earlier data protection law. However, the wording is very similar in the UK GDPR, and the judgment is part of retained case law for the UK.
What counts as a ‘legitimate interest’?
Legitimate interests can be a wide range of things. Your own legitimate interests in using the personal information can count, as can those of a third party. The term ‘third party’ doesn’t just refer to other organisations – it may also be another person.
The public’s legitimate interests can also play a part when deciding whether the legitimate interests of using a person’s information overrides that person’s interests and rights. If your use of the information serves a wider public interest, this may add weight to your interests when you balance them against those of the person whose information you want to use.
The UK GDPR doesn’t say what factors to consider when deciding if your purpose is a legitimate interest. It might be as simple as it being legitimate to start up a new business activity or to grow your business.
Example
A company wants to rely on legitimate interests to use recordings of calls to their helpline for training purposes.
First, they consider the purpose test. It’s in the company’s legitimate business interests to ensure that their staff are well-trained. The company’s customers also have a legitimate interest in dealing with staff who are equipped to handle their queries.
As they have met the purpose test, the company can go on to consider the necessity test and the balancing test.
As legitimate interests is a broad concept, the interests don’t have to be very compelling. While in some cases they might be, the UK GDPR doesn’t rule out more trivial interests or controversial interests.
Both of these can count as legitimate interests. But if the interests are trivial or controversial, the balancing test is more likely to override them in favour of the person’s interests.
However, showing that there is a legitimate interest means that you (or a third party) should have some clear and specific benefit or outcome in mind. It’s not enough to rely on vague or generic business interests. You should consider exactly what you are trying to achieve with the particular processing activity.
For example, it’s not enough to simply say "we have a legitimate interest in using customer information". This doesn’t specify your purpose or intended outcome. Instead, you should be more specific about your purpose. For example, you might say "we have a legitimate interest in marketing our products to existing customers to increase sales".
While any purpose can potentially be relevant, you must ensure it’s ‘legitimate’. Anything illegitimate, unethical or unlawful isn’t a legitimate interest. For example, although marketing may in general be a legitimate purpose, sending spam emails in breach of electronic marketing rules is not.
If the use of personal information is unlawful from the outset, the other two parts of the test can’t make it lawful. If the interest isn’t legitimate, you don’t meet the first part of the test, and legitimate interests won’t apply.
The UK GDPR doesn’t have an exhaustive list of what purposes are likely to constitute a legitimate interest for this lawful basis.
However, it does say that the following activities may be a legitimate interest:
- network and information security;
- direct marketing; and
- administrative transfers within a group of organisations.
The UK GDPR also suggests in its recitals that a legitimate interest "could exist" when you want to use employee or client information.
However, while these activities may indicate a legitimate interest, you must still:
- identify your precise purpose; and
- show that it’s legitimate in the specific circumstances.
In particular, you must ensure your direct marketing complies with the Privacy and Electronic Communication Regulations 2003 (PECR) rules on consent. You must also go on to assess the rest of the three-part test. (See When can we rely on legitimate interests? for more information.)
The UK GDPR’s examples of legitimate interests aren’t exhaustive. You may also be able to demonstrate in a wide range of other situations that you’re using personal information for the purposes of legitimate interests.
(For more practical steps on how to assess the purpose test and document your legitimate interests, read the section How do we apply legitimate interests in practice?.)
Further reading – ICO guidance
When is using personal information ‘necessary’?
You must demonstrate that your use of the personal information is necessary for the purposes of the legitimate interests you’ve identified. This doesn’t mean it has to be absolutely essential, but you must ensure it is a targeted and proportionate way of achieving your purpose.
You should decide on the facts of each case whether:
- your use of personal information is proportionate and adequately targeted to meet your objectives; and
- there is any less intrusive alternative (ie if you can achieve your purpose by some other reasonable means).
If you can achieve your purpose in a less intrusive way, the more intrusive way isn’t necessary.
Example
An organisation carries out particularly sensitive work, so they want to ensure that their employees are vetted. They decide to make their job offers conditional on the person having vetting or background checks.
Given the nature of the work, the organisation decides that it is in their legitimate business interests to have fully vetted employees. They consider the different roles that they have and determine that the level of vetting would be different depending on the type of role.
To meet the necessity test, they assess what checks and vetting are necessary for each role. This is to ensure that their use of personal information is targeted and proportionate to the specific role and responsibilities.
If the vetting includes handling criminal offence data, the organisation must also have a separate condition for using this information in compliance with article 10 of the UK GDPR.
Example
A public figure posts a video about overcrowding on trains that shows them on a train run by a particular train operator. Various media outlets report on the video.
The train operator wants to release the CCTV footage of the public figure on the train to counter reports that the train was overcrowded. The footage they hold also includes images of other passengers.
The train operator has a legitimate interest in releasing the footage. They consider the footage necessary to correct what they deem to be misleading news reports that might damage their reputation and commercial interests.
They consider the necessity test. They decide that it is not possible to achieve their legitimate interests without publishing the image of the public figure. This is because the only way they can counter the existing news footage is to show the public figure on that journey. Doing so shows that there were empty seats on the train.
The train operator can demonstrate that it is necessary to publish the public figure’s image to pursue their legitimate interests (ie to give their side of the story). However, it is not necessary for them to publish pictures of anyone else on the train.
Therefore, they should take steps to ensure that they obscure the images of other passengers. They must then go on to consider the balancing test.
For the necessity test, you may be able to argue that some non-essential features of what you want to do (such as profiling or marketing) are necessary for your purposes. However, this is only the case if you clearly identify the specific purpose behind those particular features. You should not try to rely on a vague business objective that you may be able to achieve in another way. You must ensure that your use of the personal information is necessary for the specific purpose you identify in step one of the test. This is one reason why you should be clear and specific about your purposes.
Don’t confuse using personal information that is necessary for your stated purpose with using information that is only necessary because of the way you have chosen to pursue it.
You can’t rely on this basis if:
- you’re unable to demonstrate that using the information actually helps achieve the purpose; or
- using the information is not a reasonable way of achieving it.
(For more practical steps on assessing and documenting the necessity test, see the section on How do we apply legitimate interests in practice?.)
Further reading – ICO guidance
What is the balancing test?
The balancing test is where you:
- consider the interests, fundamental rights and freedoms of the person whose personal information you want to use; and
- check that these don’t override your interests.
This is a light-touch risk assessment to check that any risks to the person’s interests are proportionate.
Even if you determine that what you want to do with the personal information is necessary for a legitimate interest, this doesn’t mean that you’re automatically able to rely on this lawful basis. You must also justify any impact on the person. You should do this by performing a balancing test.
If the information belongs to children, you must be particularly careful to ensure you protect their interests and rights.
What are the person’s ‘interests, rights and freedoms’?
This is a broad concept. It includes people’s data protection and privacy rights, as well as other fundamental rights and more general interests.
You should focus on the potential impact your use of personal information has on people. The UK GDPR is clear that a risk to a person’s interests, rights and freedoms can involve physical, financial or any other impacts, including:
- an inability to exercise their rights (including data protection rights);
- a loss of control over the use of their personal information; or
- any social or economic disadvantage.
What is the importance of reasonable expectations?
You must assess whether a person can reasonably expect what you intend to do. You should consider, in particular, when and how you collected their information.
If you intend to use personal information in ways that people don’t reasonably expect, then their interests, rights and freedoms can override your legitimate interests. This is because if what you want to do is unexpected, people lose control over how their information is used. Therefore, they may not be in an informed position to exercise their rights. This is clearly linked to your transparency obligations.
This is an objective test. The question isn’t whether a particular person actually expects what you intend to do with their information, but whether a reasonable person ought to expect it in the circumstances.
One of the factors that may affect what people reasonably expect is what you tell them in your privacy information. If you include a clear upfront explanation about what you intend to do with their information, they are more likely to expect it. However, if you include this explanation in a long or hard-to-read privacy policy, you’re unlikely to be able to demonstrate reasonable expectations. This is particularly the case when what you want to do is more unexpected.
Your relationship with the person also plays a part in determining whether they would reasonably expect your use of their information. Recital 47 indicates that legitimate interests is more likely to apply where you have a "relevant and appropriate relationship" (eg because they are your client or employee). If you don’t have a pre-existing relationship, it’s harder to demonstrate that what you want to do can be reasonably expected.
If you want to collect people’s information from other sources instead of directly from them, it’s less likely that they will reasonably expect what you want to do with it. Before you get the information, you should be clear about whether those sources tell people that they might share people’s information for others to use and for what purpose.
Other factors might also generally affect people’s reasonable expectations, such as:
- how long ago you collected the personal information;
- where the information came from;
- the nature of any existing relationship you have with the person (eg whether you have used their information before); and
- whether you’re:
- using new technology;
- using the information in a new way people may not have anticipated; or
- whether there are any developments in the technology or updates to the services that people have come to expect.
Example
A person uploads their CV to a job board website. A recruitment agency accesses the CV and thinks that the person may have the skills that two of their clients are looking for. They want to pass the CV to those companies.
It’s likely in this situation that the lawful basis for the recruitment agency and their clients is legitimate interests.
The person has made their CV available on a job board website for the express reason of employers being able to access this information. They haven’t given consent specifically to identified organisations, but they clearly expect recruitment agencies to access their CV and share it with clients. This is likely to be that person’s intention.
As such, the interests or rights of the person don’t outweigh the recruitment agency’s and their clients’ legitimate interest in filling vacancies. In fact, those legitimate interests are likely to align with the interests of the person in circulating their CV to find a job.
Example
A person creates a profile on a social networking website designed specifically for professional networking. There is a specific option to select a function to let recruiters know that the person is open to job opportunities.
If the person chooses to select that option, they clearly expect that those who view their profile might use their contact details for recruitment purposes. Therefore, legitimate interests may apply (subject to compliance with other legal requirements, and PECR in particular).
However, if the person chooses not to select that option, it’s reasonable to assume that they don’t have that expectation.
The person’s interests in keeping control of their information override any legitimate interests of a recruitment agency in promoting its services to potential candidates. This is especially true because PECR require consent to receive unsolicited marketing messages.
Although reasonable expectations are important, this doesn’t automatically determine the outcome. Simply warning a person that you will use their information in a certain way doesn’t mean that your legitimate interests always prevail. You should still consider whether the use will cause harm. In some cases, you may still be able to justify an unexpected use of personal information if you have a compelling reason for it.
When do people’s interests override ours?
Even if what you want to do might have a negative impact on the person, this doesn’t automatically mean that their interests always override yours. This depends on the severity of the impact and whether you can justify its use for your purpose. Your interests don’t always have to be in harmony with those of the person. If you have a more compelling interest, this may justify some impact on them.
However, if there is a serious mismatch between your interests and the interests, rights and freedoms of the person, you should assume theirs are stronger and put their interests first.
For example, this applies where:
- the person wouldn’t reasonably expect what you want to do with their information;
- they would be likely to object to your proposed use;
- what you want to do would have a significant impact on them;
- what you want to do would prevent them from exercising their rights; or
- the personal information you want to use is particularly sensitive – for example:
- special category data;
- criminal offence data; or
- children’s information.
However, the outcome of your balancing test depends on the circumstances.
(For more practical guidance on how to assess the balancing test, read the section on How do we apply legitimate interests in practice?.)
Example
A finance company is unable to locate a customer who has stopped making payments under a hire purchase agreement. The customer has moved house without notifying the finance company of their new address. The finance company wants to use a debt collection agency to find the customer and seek repayment of the debt. They want to disclose the customer’s personal information to the agency for this purpose.
The finance company has a legitimate interest in recovering the debt owed. To achieve this purpose, it is necessary for them to use a debt collection agency to track down the customer.
The finance company considers the balancing test. They decide it is reasonable for their customers to expect that they will take steps to seek payment of outstanding debts.
The interests of the customer are likely to differ from those of the finance company in this situation, as it may suit the customer to avoid paying their outstanding debt.
In these circumstances, the customer’s interests don’t override the finance company’s legitimate interest in passing the personal information to a debt collection agency. The balance is in favour of the finance company.
What’s the difference between legitimate interests and the recognised legitimate interest basis?
Legitimate interests and recognised legitimate interest are two different lawful bases. Which basis is most appropriate for you to use depends on the circumstances.
Below is a summary of the main differences and similarities:
| Legitimate interests | Recognised legitimate interest | |
|---|---|---|
| Suitable for a wide variety of purposes | ✔ | ✖ |
| Requires you to assess the impact on people’s rights, interests and freedoms | ✔ | ✖ |
| Requires you to assess necessity | ✔ | ✔ |
| Right to object applies | ✔ | ✔ |
Recognised legitimate interest only applies if your use of the personal information is for one of its pre-approved purposes. Legitimate interests is more flexible as it’s not limited to a specific set of purposes.
All the pre-approved purposes in the recognised legitimate interest lawful basis are likely to meet the purpose test under the legitimate interests basis. However, this still depends on the circumstances. This means you could choose legitimate interests as your lawful basis for these and apply the three-part test instead of using recognised legitimate interest.
If you’re currently relying on legitimate interests for a purpose that is covered by a recognised legitimate interest condition, you can continue to use it without having to change your lawful basis.
Further reading – ICO guidance