GDPR Legitimate Interest is a lawful ground to process personal information
Legitimate interest of your business or that of a third party is one of six lawful grounds that you can use to process personal information of a living individual under the General Data Protection Regulation.
Any guidance yet on legitimate interest?
UK guidance has been provided by the UK regulator ICO and provides:
“It [legitimate interest] is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.”
To read more on the ICO guidance go here
Existing European guidance from the Article 29 working group Opinion 06/2014 from 2014 is also worth considering for its interpretation of legitimate interest.
Legitimate Interest Assessment
To rely on legitimate interest an assessment should be carried out and documented before a business relies on the legitimate interest ground.
In order to rely on this ground we/ a third party must have:
(a) A legitimate interest;
(b) The processing is necessary for the legitimate interest; and
(c) After having carried out a balancing test, the legitimate interests of the individual do not override the interests of the business or a third party.
A legitimate interest may include the use of CCTV at a place of work for security purposes which must be balanced against the rights to privacy of the public and employees.
Prevention of fraud is another example.
IT security is another.
Recital 47 provides “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate purpose.”
However other existing law needs to be complied with including the ePrivacy Regulations.
Legitimate interest cannot be relied on if an individual’s right overrides it taking into consideration the reasonable expectations of the individual based on his relationship with the business (Recital 47).
Examples of where legitimate interest may arise include for customers and employees.
Reliance on a legitimate interest requires a careful assessment including whether the individual can reasonably expect at the time and in the context of the collection of the personal information that processing for a legitimate purpose may take place.
Using the legitimate interest ground requires careful consideration and a documented assessment before it is used.
To learn more please contact us.
The material in this article is for general information purposes only and does not constitute legal or taxation advice. Specific legal and
taxation advice should be sought before acting. All information and taxation rules are subject to change without notice.
No liability whatsoever is accepted by M. McLoughlin & Co. for any action taken in reliance on the information in this article
Book an appointment Downloads Subscribe Contact Us