Latest insights from our experts
GDPR – How to Use Legitimate Interest
There are misconceptions about the use of legitimate interest as a lawful grounds for process under the GDPR (Article 6(1)(f) and Recital 47). This is not a catchall provision which allows you to process personal data where you cannot find another lawful basis for doing so, there are some fundamental steps to go which need to be considered at the outset, before data is collected.
- Consider whether your business’ purposes in processing the data, or those of a third party such as a subcontractor, purchaser of the business or similar are sufficiently important to justify processing the personal data i.e. is this personal data you would just like to know or do you really need to know it?
- Is it necessary to process the personal data in the way intended? Do you really need to process the intended way or is there some less risky, lower level of processing that could be done instead?
- Does the data subject’s (whether that is a customer, client, employee or contractor) fundamental rights and freedoms which require the protection of personal data override your legitimate interests? For example would the data subject not expect their personal data to be used in that way by you? This is a balancing act, taking into account your interests versus the data subject and not the right to a veto by the data subject.
- Having considered the above and made a reasoned decision, document this in a legitimate interests assessment at the earliest opportunity, ideally before the personal data has been obtained. After the processing has taken place is too late. If legal advice has been taken, this is an ideal means of demonstrating careful thought has gone into the process.
- Comply with the GDPR principle of transparency by explaining what the legitimate interests of processing are in your privacy policies and provide these to the data subject, preferably at the point their personal data is collected and at least before their data is processed on the grounds of legitimate interest.
- Take note of data subjects’ enhanced right to object to the processing of personal data under Article 21(1) of the GDPR. If a data subject objects to processing then legitimate interest requires you to stop unless there are compelling reasons to continue.
The above are all procedural steps but of course, the most asked question is what sort of processing of personal data can be justified under legitimate interest? There are no definitions in the GDPR, only hints at one example being direct marketing (but not direct marketing via email). The onus is on the data controller to make the assessment and then be able to justify it to the Information Commissioner’s Office. More practical examples of when a business might rely on legitimate interest can be found in our next insight here.
If you require any advice regarding any matter similar to this, then please do not hesitate to get in touch with our experienced team of Intellectual Property Solicitors in Devon on 01392 207020.