Legitimate interests is one of the six lawful bases for processing personal data. You must have a lawful basis in order to process personal data in line with the ‘lawfulness, fairness and transparency’ principle.
Article 6(1)(f) states:
“1.Processing shall be lawful only if and to the extent that at least one of the following applies:
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
Legitimate interests is different to the other lawful bases as it is not centred around a particular purpose (eg performing a contract with the individual, complying with a legal obligation, protecting vital interests or carrying out a public task), and it is not processing that the individual has specifically agreed to (consent). Legitimate interests is more flexible and could in principle apply to any type of processing for any reasonable purpose.
Because it could apply in a wide range of circumstances, it puts the onus on you to balance your legitimate interests and the necessity of processing the personal data against the interests, rights and freedoms of the individual taking into account the particular circumstances. This is different to the other lawful bases, which presume that your interests and those of the individual are balanced.
The key elements of the legitimate interests provision can be broken down into a three-part test.
Whilst a three-part test is not explicitly set out as such in the GDPR, the legitimate interests provision does incorporate three key elements. Article 6(1)(f) breaks down into three parts:
“processing is necessary for…
…the purposes of the legitimate interests pursued by the controller or by a third party, …
…except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
It makes most sense to apply this as a test in the following order:
Purpose test – is there a legitimate interest behind the processing?
Necessity test – is the processing necessary for that purpose?
Balancing test – is the legitimate interest overridden by the individual’s interests, rights or freedoms?
This concept of a three-part test for legitimate interests is not new. In fact the Court of Justice of the European Union confirmed this approach to legitimate interests in the Rigas case (C-13/16, 4 May 2017) in the context of the Data Protection Directive 95/46/EC, which contained a very similar provision.
This means it is not sufficient for you to simply decide that it’s in your legitimate interests and start processing the data. You must be able to satisfy all three parts of the test prior to commencing your processing.
A wide range of interests may be legitimate interests. It could be your legitimate interests in the processing or it could include the legitimate interests of any third party. The term ‘third party’ doesn’t just refer to other organisations, it could also be a third party individual.
The legitimate interests of the public in general may also play a part when deciding whether the legitimate interests in the processing override the individual’s interests and rights. If the processing has a wider public interest for society at large, then this may add weight to your interests when balancing these against those of the individual.
An insurance company wants to process personal data to spot fraudulent claims on the basis of legitimate interests.
Firstly it considers the purpose test. It is in the company’s legitimate business interests to ensure that its customers do not defraud it out of money. However at the same time the company’s other customers and the public in general also have a legitimate interest in ensuring that fraud is prevented and detected.
As it has met the purpose test the insurance company can then go onto consider the necessity test and then the balancing test.
The GDPR does not define what factors to take into account when deciding if your purpose is a legitimate interest. It could be as simple as it being legitimate to start up a new business activity, or to grow your business.
Because the term ‘legitimate interest’ is broad, the interests do not have to be very compelling (although in some instances they may be) and it does not rule out interests that are more trivial. An interest that could be seen as trivial or controversial could still be a legitimate interest for these purposes, although be aware they are more easily overridden in the balancing test or if the data subject objects under Article 21.
Showing that you have a legitimate interest does mean however that you (or a third party) must have some clear and specific benefit or outcome in mind. It is not enough to rely on vague or generic business interests. You must think about specifically what you are trying to achieve with the particular processing operation.
For example, it is not enough to simply say: ‘we have a legitimate interest in processing customer data’, as this does not clarify your purpose or intended outcome. Instead, you need to be more specific about your purpose, such as: ‘we have a legitimate interest in marketing our goods to existing customers to increase sales’.
Whilst any purpose could potentially be relevant, that purpose must be ‘legitimate’. Anything illegitimate, unethical or unlawful is not a legitimate interest. For example, although marketing may in general be a legitimate purpose, sending spam emails in breach of electronic marketing rules is not legitimate.
If the interest is not legitimate then you do not meet the first part of the test and you are not able to use legitimate interests as your lawful basis. There is no need to consider the rest of the test as the other parts are not able to legitimise processing that is illegitimate from the outset.
The GDPR does not have an exhaustive list of what purposes are likely to constitute a legitimate interest. However, the recitals do say the following purposes constitute a legitimate interest:
ensuring network and information security; or
indicating possible criminal acts or threats to public security.
Therefore, if you are processing for one of these purposes you may have less work to do to show that the legitimate interests basis applies.
The recitals also say that the following activities may indicate a legitimate interest:
processing employee or client data;
direct marketing; or
administrative transfers within a group of companies.
However, whilst these last three activities may indicate a legitimate interest, you still need to do some work to identify your precise purpose and show that it is legitimate in the specific circumstances, and in particular that any direct marketing complies with e-privacy rules on consent. You would also need to go on to assess the rest of the three-part test. See When can we rely on legitimate interests? for more information on the impact of these recitals.
These examples of processing highlighted by the GDPR recitals are not exhaustive. You may also be able to demonstrate in a wide range of other situations that you are processing for the purposes of legitimate interests.
You need to demonstrate that the processing is necessary for the purposes of the legitimate interests you have identified. This doesn’t mean that it has to be absolutely essential, but it must be a targeted and proportionate way of achieving your purpose.
You need to decide on the facts of each case whether the processing is proportionate and adequately targeted to meet its objectives, and whether there is any less intrusive alternative, ie can you achieve your purpose by some other reasonable means without processing the data in this way? If you could achieve your purpose in a less invasive way, then the more invasive way is not necessary.
An organisation undertakes work that is particularly sensitive so it wants to ensure that the individuals it employs have been vetted. It decides to make its job offers conditional on the individual having vetting or background checks.
In the purpose test, the organisation determines that it is in its legitimate business interests to have fully vetted staff given the nature of the work. It considers the different roles that it has and determines that the level of vetting would be different depending on the type of role. It assesses what checks and vetting are actually necessary for each role to ensure that the processing is targeted and proportionate to the specific role and responsibilities in order to meet the necessity test.
If the processing includes criminal offence data the organisation would also need to have a separate condition for processing this data in compliance with Article 10.
A public figure posts a video about overcrowding on trains that shows them on a train run by a particular train operator. The video is reported on by various media outlets.
The train operator wants to release the CCTV footage of the public figure on the train in order to counter the reports that the train was overcrowded. The footage it holds also includes images of other passengers.
The train operator has a legitimate interest in releasing the footage in order to correct what it deems to be misleading news reports that are potentially damaging to its reputation and commercial interests.
It considers the necessity test and concludes that it is not possible to achieve its legitimate interests without publishing the image of the public figure as it can only counter the existing news footage to show that there were empty seats on the train if it shows the public figure on that journey.
However whilst it is able to demonstrate that it is necessary to publish the public figure’s image in order pursue its legitimate interests (ie to give its side of the story), it is not necessary for the train operator to publish pictures of anyone else on the train.
It needs therefore to take steps to ensure that the images of passengers other than the public figure are obscured, as well as going on to consider the balancing test.
You should be careful not to confuse processing that is necessary for your stated purpose with processing which is only necessary because of your chosen method of pursuing that purpose. In the context of legitimate interests, you may be able to argue that some non-essential features of your processing (such as profiling or marketing) are necessary for your purposes. However, this is only the case if you clearly identify the specific purpose behind those particular features, and don’t hide behind a vague business objective that could be achieved in another way. The processing must be necessary for the specific purpose you have identified in step one. This is one reason why it is important to be clear and specific about your purposes.
If you are unable to demonstrate that the processing actually helps meet the legitimate interest, then you are not able to apply this basis. Likewise if the processing is not a reasonable way to achieve your stated purpose then legitimate interests does not apply. If there is another reasonable and less invasive way to meet the interest and achieve your purpose without the processing, then it would be unlawful (unless another lawful basis applies).
Just because you have determined that your processing is necessary for a legitimate interest does not mean that you are automatically able to rely on this basis for processing. You must also perform a ‘balancing test’ to justify any impact on individuals.
The balancing test is where you take into account “the interests or fundamental rights and freedoms of the data subject which require the protection of personal data”, and check they don’t override your interests. In essence, this is a light-touch risk assessment to check that any risks to individuals’ interests are proportionate.
If the data belongs to children then you need to be particularly careful to ensure their interests and rights are protected.
What are the individual’s ‘interests, rights and freedoms’?
The interests, rights and freedoms of individuals in this context is a broad concept which includes data protection and privacy rights, but also other fundamental rights as well as more general interests.
It is clear from other related provisions in the GDPR which talk about risks to the rights and freedoms of individuals that the focus here should be on any potential impact on individuals. Recital 75 provides some relevant guidance here. It makes clear that a risk to individuals’ rights and freedoms is about the potential for any type of impact. This includes physical, financial or any other impact, such as:
inability to exercise rights (including data protection rights);
loss of control over the use of personal data; or
any social or economic disadvantage.
The GDPR is clear that the interests of the individual could in particular override your legitimate interests if you intend to process personal data in ways the individual does not reasonably expect. This is because if processing is unexpected, individuals lose control over the use of their data, and may not be in an informed position to exercise their rights. There is a clear link here to your transparency obligations.
Recital 47 says:
“At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing.”
You need to assess whether the individual can reasonably expect the processing, taking into account in particular when and how the data was collected.
This is an objective test. The question is not whether a particular individual actually expected the processing, but whether a reasonable person should expect the processing in the circumstances.
One of the factors that may affect what individuals reasonably expect is what you tell them in your privacy information. If you include clear information about your processing, they are more likely to expect that processing.
Your relationship with the individual also plays a part in determining whether the individual would reasonably expect the processing to occur. Recital 47 indicates that legitimate interests is more likely to apply where you have a ‘relevant and appropriate relationship’, for example, because they are your client or employee. If you don’t have a pre-existing relationship, it is harder to demonstrate that the processing can be reasonably expected. If you obtained the data from a third party, you need to be clear what the individual was told about when that data might be passed on for use by others, and whether this covers you and your purpose for processing, as this will affect reasonable expectations.
Other factors might also affect the reasonable expectations of individuals, such as:
how long ago you collected the data;
the source of the data;
the precise nature of any existing relationship with the individual and how you have used their data in the past; and
whether you are using a new technology or processing data in a new way that individuals have not anticipated – or conversely whether there are any developments in technology or updates to services which individuals have come to expect.
An individual uploads their CV to a jobs board website. A recruitment agency accesses the CV and thinks that the individual may have the skills that two of its clients are looking for and wants to pass the CV to those companies.
It is likely in this situation that the lawful basis for processing for the recruitment agency and their clients is legitimate interests.
The individual has made their CV available on a job board website for the express reason of employers being able to access this data. They have not given specific consent for identified data controllers, but they would clearly expect that recruitment agencies would access the CV and share with it their clients, indeed, this is likely to be the individual’s intention. As such, the legitimate interest of the recruitment agencies and their clients to fill vacancies would not be overridden by any interests or rights of the individual. In fact, those legitimate interests are likely to align with the interests of the individual in circulating their CV in order to find a job.
An individual creates a profile on a social networking website designed specifically for professional networking. There is a specific option to select a function to let recruiters know that the individual is open to job opportunities.
If the individual chooses to select that option, they would clearly expect those who view their profile might use their contact details for recruitment purposes and legitimate interests may be available (subject to compliance with other legal requirements, and PECR in particular). However, if they choose not to select that option, it is not reasonable to assume such an expectation. The individual's interests in maintaining control over their data – particularly in the context of the PECR requirement for specific consent to receive unsolicited marketing messages – overrides any legitimate interests of a recruitment agency in promoting its services to potential candidates.
Although reasonable expectations is an important factor, it does not automatically determine the outcome. Simply having warned the individual in advance that their data will be processed in a certain way does not necessarily mean that your legitimate interests always prevail, irrespective of harm. And in some cases you may still be able to justify unexpected processing if you have a compelling reason for it.
When do individuals’ interests override ours?
Even if the processing might have a negative impact on the individual, this does not automatically mean that their interests always override yours. This depends on the severity of the impact, and whether it is warranted in light of your purpose. Your interests do not always have to be in harmony with those of the individual, and if you have a more compelling interest this may justify some impact on individuals.
A finance company is unable to locate a customer who has stopped making payments under a hire purchase agreement. The customer has moved house without notifying the finance company of their new address. The finance company wants to engage a debt collection agency to find the customer and seek repayment of the debt. It wants to disclose the customer’s personal data to the agency for this purpose.
The finance company has a legitimate interest in recovering the debt it is owed and in order to achieve this purpose it is necessary for them to use a debt collection agency to track down the customer for payment owed.
The finance company considers the balancing test and concludes that it is reasonable for its customers to expect that they will take steps to seek payment of outstanding debts. It is clear that the interests of the customer are likely to differ from those of the finance company in this situation, as it may suit the customer to evade paying their outstanding debt.
However, the legitimate interest in passing the personal data to a debt collection agency in these circumstances would not be overridden by the interests of the customer. The balance would be in favour of the finance company.
However, if there is a serious mismatch between your interests and those of the individual (whose are stronger), the individual’s interests come first, for example where:
they would not reasonably expect the processing;
they would be likely to object to the processing;
the processing would have a significant impact on them;
the processing would prevent them exercising their rights; or
the data you are processing is particularly sensitive, for example special category data, criminal offence data, or children’s data.
However the outcome will depend on the circumstances of the case.