Latest insights from our experts
GDPR – Legitimate Interest: Some Practical Examples
Having understood the basic 3 stages required to rely on legitimate interest (see our earlier insight here, many businesses are wondering what does that mean in practice?
- How do we decide whether the purpose for which we want to use the personal data is sufficiently important?
- How do we decide if the processing of that personal data is justified?
- How do we balance the fundamental rights and freedoms of the individual against the interests of our business?
The ICO are not hugely helpful, giving examples of an insurer wanting to prevent fraud, train operators responding to allegations of overcrowding or social media sites hiding user profile data (a veiled reference to LinkedIn). Great for those businesses but they are large enough to already have teams of in house lawyers considering these issues. What about everyday concerns relevant to the majority of businesses?
The GDPR text itself is a useful starting point but again is vague. It lists the following as almost always a legitimate interest (subject to going through the process in our last insight here)
- fraud prevention;
- ensuring network and information security; or
- indicating possible criminal acts or threats to public security.
The recitals to the GDPR (the preamble) say that the following may indicate a legitimate interest but will need careful justification:
- processing employee or client data
- direct marketing (by post only, not email); or
- administrative transfers within a group of companies.
So what about some practical examples.
An online retailer wants to generate sales by direct marketing
Direct marketing by email is subject to additional rules set out in the Privacy and Electronic Marketing Communications Regulations 2003 which always require consent from an individual before they can be sent a direct marketing email. Legitimate interest will never override that requirement with regard to emails.
Postal communications are different and it may be possible to rely on legitimate interest provided the appropriate 3 stage test has been completed.
A company wants to sell its business to another company, including the personal data of customers, employees and suppliers
Unlike the recitals to the GDPR, this involves transferring personal data outside the company group to a third party. Again legitimate interest can be relied upon but it would be wise to include additional steps such as
- Proper investigation of the purchaser – are they likely to comply with GDPR requirements
- A requirement in the purchase contract for the purchaser to notify data subjects of any change in processing activity
- Indemnities from the purchaser for breach of data subject rights
A business wants to develop and improve its website
If you require any advice regarding any matter similar to this, then please do not hesitate to get in touch with our experienced team of Intellectual Property Solicitors in Devon on 01392 207020.