What is a ‘Legitimate Interest’?

Legitimate interest is one of the six lawful bases for processing personal data.

It is not centred around a particular purpose (e.g. performing a contract with an individual, complying with a legal obligation or protecting vital interests), and it is not processing that the individual has specifically agreed to (Consent).

Legitimate interest is actually more flexible than that and could in principle apply to any type of processing for any reasonable purpose.

In general, the condition applies when:

• The processing isn’t required by law, but there’s a clear benefit to it;
• There is little risk of the processing infringing on data subjects’ privacy; and
• The data subject should reasonably expect their data to be used in this way.

Because it could apply in a wide range of circumstances, it puts the onus on you to balance your legitimate interests and the necessity of processing the personal data against the interests of the individual.

The key elements of legitimate interest can be broken down into a three-part test.

• Purpose test – is there a legitimate interest behind the processing?
• Necessity test – is the processing necessary for that purpose?
• Balancing test – is the legitimate interest overridden by the individual’s interests?

Irish GDPR does not define what factors to take into account when deciding if your purpose is a legitimate interest.

It could be as simple as it being legitimate to start up a new business, or to grow your business.

Because the term is so broad, the interests don’t have to be very compelling and therefore it does not rule out interests that are more trivial.

Showing that you have a legitimate interest does mean however that you must have some clear and specific benefit or outcome in mind.

It is not enough to rely on some vague or generic business interests.

You must think about specifically what you are trying to achieve with the particular processing operation.

For example, it’s not enough to say: ‘we have a legitimate interest in processing customer data’, as this does not clarify your purpose or intended outcome.

Instead, you would need to be saying something like: ‘we have a legitimate interest in marketing our goods to existing clients to increase sales’.

While any purpose could potentially be relevant, that purpose must be ‘legitimate’.

Anything illegitimate, unethical or unlawful is not a legitimate interest.

For example, although marketing may in general be a legitimate purpose, in order to grow your business, sending spam emails in breach of electronic marketing rules is not.

Is legitimate interest appropriate for marketing purposes?

One of the most common questions related to legitimate interest is whether it can be used for direct marketing.

After all, this is one of the biggest reasons that businesses collect personal data.

And besides consent – which has got a lot trickier to obtain and maintain under the GDPR – there are few options for storing personal data for marketing purposes.

As such, many businesses are pinning their hopes on legitimate interest.

But are they justified?

The answer, as with so many things related to GDPR, is that it depends on the circumstances.

Article 47 of the Regulation states that “direct marketing purposes may be regarded as carried out for legitimate interest.

Note the use of the word ‘may’.

If you’re confident that your marketing practices meet the criteria for legitimate interest as set out in this guide, you’re probably fine.

But if you want something more definitive than ‘probably fine’ you can always carry out the legitimate interest three-part test discussed earlier.

Here’s an example of a legitimate interest for marketing purposes…

A charity wants to send fundraising material by post to individuals who have donated to them in the past but have not previously objected to receiving marketing material from them.

The charity’s purpose of direct marketing to seek funds to further its cause is a legitimate interest.

The charity then looks at whether sending the mailing is necessary for its fundraising purpose.

It decides that it is necessary to process contact details for this purpose, and that the mailing is a proportionate way of approaching individuals for donations.

The charity considers the balancing test and takes into account that the nature of the data being processed is names and addresses only, and that it would be reasonable for these individuals to expect that they may receive marketing material by post given their previous relationship.

The charity determines that the impact of a fundraising mailing on these individuals is likely to be minimal however it includes details in the mailing (and each subsequent one) about how individuals can opt out of receiving postal marketing in future.

And then there’s ePrivacy…

If you intend to process personal data for the purposes of direct marketing by electronic means (by email, text, automated calls etc) legitimate interests may not always be an appropriate basis for processing.

This is because the e-privacy laws on electronic require that individuals give their consent to some forms of electronic marketing.

If e-privacy laws require consent, then processing personal data for electronic direct marketing purposes is unlawful under GDPR without consent.

If you have not got the necessary consent, you cannot rely on legitimate interests instead.

You are not able to use legitimate interests to legitimise processing that is unlawful under other legislation.

If e-privacy laws do not require consent, legitimate interests may well be appropriate.

Based on the current legislation, and depending on the outcome of your three-part test, legitimate interests may be appropriate for ‘solicited’ marketing (i.e. marketing proactively requested by the individual), or for unsolicited marketing in the following circumstances:

Can you use legitimate interests for your business-to-business contacts?

Yes, it is likely that much of this type of processing will be lawful on the basis of legitimate interests, but there is no absolute rule here and you need to apply the three-part test.

You are still processing personal data when you are using and holding the names and details of your individual contacts at other businesses.

You must have a lawful basis to process this personal data.

You can consider using legitimate interests as your lawful basis for such processing.

However, you need to identify your specific interest underlying the processing and ensure that the processing is actually necessary for that purpose.

Assuming you can meet these first two parts of the three-part test, you also need to consider the balancing test.

You may find it is straightforward as business contacts are more likely to reasonably expect the processing of their personal data in a business context, and the processing is less likely to have a significant impact on them personally.

Here’s an example…

Individuals attend a business seminar and the organiser collects business cards from some of the delegates.

The organiser determines that they have a legitimate interest in networking and the growth of their business.

They also decide that collecting delegate contact details from business cards is necessary for this purpose.

Having considered purpose and necessity the organiser then assesses that the balance favours their processing as it is reasonable for delegates handing over business cards to expect that their business contact details will be processed, and the impact on them will be low.

The organiser also ensures that it will provide delegates with privacy information including details of their right to object.

The organiser subsequently collates the contact details of the delegates and adds them to their business contacts database.

What are the alternatives?

You must have a lawful basis in order to process personal data.

Legitimate interests is one of the six lawful bases but there are alternatives.

The other lawful bases are in brief:

• Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
• Contract: the processing is necessary for a contract with the individual, or because they have asked you to take specific steps before entering into a contract.
• Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
• Vital interests: the processing is necessary to protect someone’s life.
• Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

You should always choose the basis that is most appropriate to the particular circumstances.