Legitimate Interest
What is legitimate interest?
Legitimate interest is one of the six lawful bases for processing personal data under the General Data Protection Regulation (GDPR). It refers to the processing of personal data that is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
Legitimate interest is a flexible legal basis for processing personal data. It can be used in a wide range of circumstances, but it puts the onus on the controller to balance their legitimate interests and the necessity of processing the personal data against the interests, rights, and freedoms of the data subject.
To rely on legitimate interest as a legal basis for processing personal data, the controller must ensure that the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party. The controller must also ensure that the interests or fundamental rights and freedoms of the data subject do not override the legitimate interests pursued by the controller or by a third party.
Legal Basis and Legitimate Interest
The GDPR provides six legal basis for processing personal data under its Article 6:
- Processing shall be lawful only if and to the extent that at least one of the following applies:
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
What are the requirements for legitimate interest?
Article 6.1 f) breaks down into three parts:
- Purpose: (..processing is necessary for..)
- Necessity: (..the purposes of the legitimate interests pursued by the controller or by a third party..)
- Balance: (..except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child…)
It calls for a balancing test: the needs essential to the lawful concerns of the controller (or third parties) need to be weighed against the interests or fundamental rights and freedoms of the data subject.
What other aspects need to be considered with legitimate interest?
When relying on legitimate interest as a legal basis for processing personal data, the controller must ensure that they comply with the Data Protection Principles, such as purpose limitation, data minimization, transparency requirement, accountability principle, and data portability. The controller must also ensure that they comply with the GDPR requirements, such as lawfulness of processing, data subject rights, privacy impact assessment, data protection officer, data breach notification, GDPR compliance, data privacy, data controllers and processors, privacy policy, data protection authority, EU data protection law, and sensitive personal data.
Legitimate Interest and Public Administrations
Public administrations must respect the key principles of EU data protection law, including informing individuals. They must also deal with requests from individuals who have rights under EU data protection law, such as the right to access data. Sanctions if a public administration doesn’t respect EU data protection law may include suspension of activity, warnings, or fines.
Example of legitimate interest
An example could be:
A financial institution adheres to reasonable and proportional procedures, as outlined in advisory guidelines from the relevant government financial regulatory body, to confirm the identity of individuals seeking to open an account. It maintains detailed records of the information used for identity verification.
The controller’s interest is legitimate, and data processing involves only essential and limited information, consistent with industry standards, which can reasonably be expected by data subjects and recommended by regulatory authorities. Adequate measures are in place to minimize any disproportionate or undue impact on data subjects.
Penalties related to the legitimate interest
If a controller fails to comply with the GDPR requirements when relying on legitimate interest as a legal basis for processing personal data, they may face penalties such as suspension of activity, warnings, or fines.
In conclusion, legitimate interest is a flexible legal basis for processing personal data under the GDPR. It can be used in a wide range of circumstances, but it puts the onus on the controller to balance their legitimate interests and the necessity of processing the personal data against the interests, rights, and freedoms of the data subject. When relying on legitimate interest as a legal basis for processing personal data, the controller must ensure that they comply with the Data Protection Principles and the GDPR requirements. Public administrations must also respect the key principles of EU data protection law, including informing individuals, and deal with requests from individuals who have rights under EU data protection law. Penalties for non-compliance with the GDPR requirements when relying on legitimate interest as a legal basis for processing personal data may include suspension of activity, warnings, or fines.
Do you need to verify whether your company is fully compliant with data protection laws?
Focus on your business and keep your compliance documents up-to-date with Seifti:
We provide you with GDPR consultancy and audit services, with all your data processing activities.
Our team will validate that your company’s current data protection policies and procedures are fully compliant.
Also, our experts will help you define the subject rights workflows to avoid issues with the Data Protection Authorities.
If you need further information, do not hesitate in contacting us!
No Comments