What counts as legitimate interest?

Disclaimer

One of the legal grounds for processing someone’s personal data is legitimate interest. As a site owner, legitimate interest is an especially important subject because in some cases it allows you to process personal data without asking for consent. However, it’s quite difficult to figure out if a purpose counts as legitimate interest.

GDPR Art. 6(1)(f) states: processing is lawful if it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject that require protection of personal data, in particular where the data subject is a child.

This can indeed be be interpreted in a very broad manner. In practice, it could mean almost anything that is in accordance with the law. All these situations should be evaluated case-by-case and when using legitimate interest as grounds for processing, the burden of proof lies with you. You will basically have to show how your legitimate interest overrides data subject’s interests. In order to do so you will have to balance following aspects:

1. the legitimate interest of you or a third party; and
2. the necessity of processing; and
3. interests or rights of data subjects.

The balancing of interests should evaluate reasonable expectations of data subjects in regards to their rights and interests in the specific situation considering the relationship with the controller (you). Examples of processing activities that could be considered belonging under legitimate interest: video surveillance on private properties (if proportional); screening employee data to fight corruption; screening employee data on internet use to prohibit using work computers for private purposes etc. Note that in case of children’s personal data, special consideration is expected.

A particularly interesting aspect is that direct marketing is also considered to be your legitimate interest. However, what exactly constitutes direct marketing is not defined by law, leaving a door open for many disputes. Also, keep in mind that you may only use legitimate interest as grounds for processing data if you can show that when balancing the three points mentioned above, the result is in favour of your legitimate interest. And note that the data subject still has the right to object to direct marketing, which means that they should be able to opt-out of direct marketing advertisements.

In conclusion, legitimate interest works as a “general clause” you could use when there are no other grounds for processing. Theoretically, you could fit almost anything under it. However, we strongly advise you to use it very carefully and ask for professional legal advice when using it.

The Privacy Policy provided by the GDPR Framework contains the legitimate interest clause among other things.

Read more about legitimate interest in the opinion published by WP29.

Related articles

• Page:
  Do my contact forms need a consent checkbox?
• Page:
  Do my newsletter signup forms need a consent checkbox?
• Page:
  Legal Grounds for processing
• Page:
  Lawful basis for processing personal data
• Page:
  What counts as legitimate interest?