Unpacking GDPR: Legitimate interest

The General Data Protection Regulation (GDPR) has transformed the data protection landscape, and understanding its implications is crucial for organizations around the world. 

One aspect that often raises questions is the notion of “legitimate interest” as a lawful basis for processing personal data. How does it work, and how can organizations apply it correctly? In this post, we’ll dive into the intricacies of GDPR legitimate interest and provide practical insights to help you navigate this complex area with confidence.

Short summary:

• We’ll define the concept of legitimate interest, its role in GDPR compliance, and the importance of balancing it with data subject rights. 
• Let’s explore real-life situations where legitimate interests might apply, such as fraud detection, network security, and employee/client data processing. 
• Finally, we’ll discuss how to conduct a GDPR Legitimate Interest Assessment (LIA) and provide expert guidance on data privacy and GDPR compliance. 

Let’s get started!

Understanding legitimate interest under GDPR

Legitimate interest is a lawful basis for data processing under GDPR, which allows organizations to process personal data for their own interests, as long as the interests or fundamental rights and freedoms of the data subject (usually the customer) are not compromised. 

Organizations need to strike a balance between their legitimate interests and the rights of the data subjects. 

The key to determining whether processing personal data based on legitimate interests is allowed under GDPR lies in weighing the benefits of data collection against the interests or fundamental rights and freedoms of the data subject. 

It’s the business owner’s responsibility to ensure user privacy is safeguarded and that the legitimate interests pursued by the organization are balanced with the rights of the data subject.

What is GDPR legitimate interest?

In essence, legitimate interest applies when an organization uses personal data in a way that the data subject would expect, and the interests of the data subject are still respected.

One way to determine if legitimate interest can be applied for a specific purpose is by conducting a legitimate interest purpose test. 

This test helps organizations assess whether legitimate interest is the most suitable legal basis for their data processing activities. Organizations must consider various questions before deciding if processing data based on legitimate interests is the right move.

Balancing data subject rights and legitimate interests

Data subject rights are essential for GDPR compliance, as they give individuals control over their personal data. Compliance with these rights is a must to avoid penalties and maintain customers’ trust. 

In addition to adhering to data subject rights, organizations must be prepared to erase data upon objection via a Data Subject Access Request (DSAR). This means that individuals can ask for their data to be removed from the organization’s systems. Organizations need to make sure they have the right procedures in place to respond to these requests quickly and efficiently.

Protecting data subject rights when processing personal data

Under GDPR, data subjects have various rights, such as the right to access, rectify, erase, restrict processing, data portability, object to processing, and not be subjected to automated decision-making. Organizations must respect these rights and ensure that they comply with GDPR.

If organizations cannot justify their legitimate vital interests in data processing, they could face consequences. For instance, if individuals disagree with such interests, they can request the organization to remove their records with a DSAR. If the organization cannot prove its reasoning, it could be penalized for collecting data illegally.

Addressing objections and DSARs

A Data Subject Access Request (DSAR) is a way for individuals to obtain a full record of the data an organization has on them and why it was collected. Properly handling objections and DSARs under GDPR is crucial for organizations to maintain compliance and trust with their customers.

The best way to address objections and DSARs under GDPR is to create policies and procedures for evaluating objections from data subjects and document their handling of a DSAR thoroughly to show compliance with the GDPR. This includes providing individuals with a copy of any related information about them when responding to a DSAR.

Making it real: Situations in which legitimate interest might be applied

Now that we’ve established the concept of legitimate interest and its role in GDPR compliance, let’s delve into some real-life scenarios. It’s important to remember that each situation is unique, and organizations must carefully assess the legitimacy of their data processing activities in light of GDPR requirements.

Some examples of situations where legitimate interests may apply include fraud detection and crime prevention, network and information security, and processing employee or client data. In the following sections, we’ll explore each of these scenarios in more detail, providing practical insights into how legitimate interests can be applied effectively and responsibly.

Fraud detection and crime prevention

Legitimate interest can be applied in situations involving fraud detection and crime prevention, as data processing for these purposes usually passes the purpose test. This means that only the necessity and balancing tests need to be considered for a specific case.

Example: A bank

Let’s consider a financial institution, such as a bank, that processes personal data to identify and prevent fraudulent activities. The bank has a legitimate interest in protecting its customers’ assets, maintaining the integrity of its systems, and complying with legal and regulatory requirements related to fraud prevention.

To achieve these objectives, the bank may collect and analyze various types of personal data, including transaction records, account information, IP addresses, device information, and patterns of customer behavior. The processing activities based on legitimate interest may include:

• Real-time monitoring: The bank may analyze transactional data to identify unusual or suspicious patterns that could indicate fraudulent activity. For example, if a customer’s account suddenly shows a series of high-value transactions in different locations within a short period, it may trigger further investigation.
• Risk assessment: The bank may assess the risk associated with specific transactions or customer profiles. Factors such as transaction size, frequency, and geographical location can be evaluated to identify potentially fraudulent behavior.
• Information sharing: In cases where fraudulent activity is suspected, the bank may share relevant data with law enforcement agencies or other financial institutions to aid in investigations and prevent further criminal activities.
• Security measures: The bank may implement security measures, such as multi-factor authentication, to protect customer accounts and sensitive data from unauthorized access or fraudulent use.

By relying on legitimate interest as a lawful basis for processing, the bank can efficiently detect and prevent fraud while ensuring the security and trust of its customers. However, it is still important for the bank to conduct a legitimate interest assessment (LIA) to demonstrate that their interests are balanced with individuals’ rights and freedoms, and to provide transparent information to customers about the processing activities related to fraud detection and prevention.

Network and information security

In the realm of network and information security, legitimate interests can be used as a legal basis for processing personal data. Organizations must ensure that the necessary and proportionate processing of personal data is carried out for security purposes, as outlined in Recital 49 of the GDPR.

By relying on legitimate interests for network and information security, organizations can protect their systems and data from potential security threats while maintaining compliance with GDPR. Organizations must evaluate the potential impact of their data processing activities on data subjects and take necessary steps to mitigate any risks.

Example: A tech company

Consider a technology company that provides cloud-based services to its clients. To ensure the security and integrity of its network infrastructure and protect against unauthorized access or cyberattacks, the company has a legitimate interest in processing personal data. This processing activity aims to maintain the confidentiality, availability, and resilience of its systems.

The legitimate interest-based processing activities for network and information security may include:

• Security monitoring: The company may collect and analyze network logs, system logs, and other relevant data to monitor for suspicious activities, such as unauthorized access attempts, malware infections, or network vulnerabilities.
• Incident response: In the event of a security breach or suspected cyberattack, the company may process personal data to investigate the incident, identify the root cause, and take appropriate remedial actions to mitigate the impact and prevent future incidents.
• Access controls: The company may process personal data to manage user access and authorization levels to ensure that only authorized individuals can access sensitive systems and data.
• Security assessments: Regular security assessments, such as vulnerability scanning and penetration testing, may be conducted to identify and address potential weaknesses in the company’s network infrastructure and software applications.
• Security updates and patches: The company may process personal data to apply necessary updates, security patches, and configuration changes to its systems and software to protect against known vulnerabilities.

By relying on legitimate interest, the company can proactively safeguard its network and information security without obtaining explicit consent from individuals. However, the company needs to conduct a legitimate interest assessment (LIA) to ensure that its interests align with individuals’ rights and freedoms and to provide transparent information about its security measures to relevant stakeholders.

Processing and retaining employee or client data

Legitimate interest can also be applied to processing or retaining employee or client data, as long as there is a relevant and appropriate relationship between the data subject and the controller. Accenture has a privacy policy in place. It outlines the legal basis for data processing purposes such as communicating with candidates and selecting the best candidate for job openings.

In some cases, organizations may choose to retain the personal details of job applicants under the legitimate interest condition if they believe it would be beneficial to keep the data beyond the legally required six months, as the applicants might be suitable for future positions. This highlights the flexibility and practicality of legitimate interests as a legal basis for data processing under GDPR.

Example: A HR department

Consider a company’s HR department. They process personal data of employees for various legitimate interests related to employment and personnel management. The processing activities aim to ensure efficient HR operations, comply with legal obligations, and provide a safe and productive work environment.

Legitimate interest-based processing activities for employee data may include:

• Payroll and benefits administration: The HR department processes personal data, such as bank account details and tax information, to ensure accurate salary payments, manage employee benefits, and comply with tax and social security regulations.
• Performance management: Personal data, including performance evaluations and feedback, may be processed to assess employee performance, identify training needs, and make informed decisions regarding promotions, bonuses, or disciplinary actions.
• Employee communication: Personal contact details, such as email addresses and phone numbers, may be processed to facilitate internal communication, including updates on company policies, training programs, or organizational changes.

Health and safety: The HR department may process personal data, such as health questionnaires or records of work-related injuries, to ensure compliance with health and safety regulations and provide a safe working environment for employees.

Direct marketing

Transparency is crucial when relying on legitimate interests for direct marketing purposes. Organizations must inform users about their data and how it’s being processed to maintain trust and credibility.

Example: A retailer

Imagine a retail company that sells consumer products. The company may have a legitimate interest in processing personal data for direct marketing purposes to promote its products and services to existing or potential customers.

Legitimate interest-based processing activities for direct marketing may include:

• Targeted advertising: The company may process personal data, such as demographic information, purchase history, or browsing behavior, to tailor advertising messages and promotional offers to specific customer segments or individuals. This helps ensure that marketing efforts are more relevant and personalized.
• Customer relationship management: The company may process personal data, including contact details and previous interactions, to maintain and manage relationships with customers. This involves sending marketing communications, such as newsletters, product updates, or special offers, to keep customers informed about new products, discounts, or loyalty programs.
• Market research and analysis: Personal data may be processed to conduct market research and analyze customer preferences, buying behavior, or feedback. This information helps the company understand consumer trends, improve products or services, and develop effective marketing strategies.
• Opt-out management: The company may process personal data to manage customer preferences and unsubscribe requests. This ensures compliance with data protection regulations and allows individuals to easily opt out of receiving further marketing communications if they no longer wish to do so.

It is important to note that even when relying on legitimate interest for direct marketing, organizations must respect individuals’ rights and provide clear opportunities to opt out of receiving further marketing communications. Organizations should also ensure that their marketing activities comply with applicable data protection laws, industry standards, and guidelines related to direct marketing.

Furthermore, organizations should conduct a legitimate interest assessment (LIA) to demonstrate that their interests are balanced with individuals’ rights and freedoms and to ensure that their marketing practices are fair, transparent, and respectful of individuals’ privacy choices.

How to conduct a GDPR Legitimate Interest Assessment (LIA)

To ensure compliance with GDPR requirements and demonstrate that their legitimate interests are valid, organizations must conduct a GDPR Legitimate Interest Assessment (LIA). The LIA is a process that evaluates the potential effects of data processing activities on the data subject and takes necessary steps to reduce any risks.

The Information Commissioner’s Office (ICO) suggests a three-part test for conducting an LIA: 

1. Purpose: The purpose test helps determine if legitimate interest is the best legal basis for a specific data processing activity. 
2. Necessity: The necessity test examines whether the data processing is actually necessary to achieve the intended outcome.
3. Balance: Finally, the balancing test evaluates if the data subject’s interests should take precedence over the legitimate interest. 

By following this three-part test, organizations can ensure that their data processing activities are in line with GDPR requirements and maintain compliance.

Get expert guidance on data privacy and GDPR

Navigating the complexities of GDPR compliance and data privacy can be challenging for organizations. Seeking expert guidance can help businesses ensure they meet GDPR and protect their customers’ personal data.

Chat with our compliance experts: A free 15-Min AMA 

Let’s chat. Connect with a compliance expert to find out how GDPR applies to your business—no strings attached. Book a chat here.

Our 5-step approach makes GDPR much easier to navigate:

• STEP 1: Kick-off. After a deep dive into data privacy, our experts customize your GDPR compliance roadmap
• STEP 2: Onboarding. Get up and running with GDPR policy templates, automated vendor discovery, and clear action items
• STEP 3: Implementation. Efficiently implement and operationalize GDPR with guided workflows, automation, and support from our experts
• STEP 4: GDPR assessment and reporting. As a third party, Thoropass delivers a transparent assessment and report to share with customers and prospects
• STEP 5: And beyond… Leverage our extensive platform to add frameworks, renew attestation, and ensure continuous compliance

Learn more about what your GDPR compliance journey with Thoropass will look like here!

Frequently asked questions about GDPR legitimate interest

Start your GDPR Journey

Learn how Thoropass can help you get—and stay—GPDR compliant

Our experts (and Oro) are always here if you have any questions.

Learn More