When can you use legitimate interest as the basis for processing data?
The GDPR, Brazil LGPD, Thailand PDPA, and many other privacy regulations around the globe require that organizations determine the legal basis for processing individuals’ data (customers, employees, etc.) as part of their business operations.
For example, Article 6 of GDPR states that processing shall be lawful only if at least one of the following applies:
-
- data subject consent has been obtained;
- processing is necessary for the performance of a contract;
- processing is necessary for compliance with a legal obligation,
- to protect someone’s life or to perform a task in the public interest;
- or the processing is necessary for your legitimate interests.
The three most common applicable bases for processing are consent, the performance of a contract, and legitimate interests pursued by the controller or a third party.
Which basis makes the most sense for your specific data processing activities?
Companies have had to change how they approach consent to ensure they are clear and concise about their reasons for processing.
For example, use this test to determine whether consent is your legal basis. Are company operations impossible to conduct without consent? If so, then it’s not the right basis for that activity.
As laid out in the GDPR, the performance of a contract is a criterion the data controller can utilize in order to process data.
While performance of a contract seems simple, there can be danger in an overly broad interpretation of what is within the scope of a contract. Be mindful to not stretch your contract basis outside of its limitations.
Leveraging legitimate interest as the basis for processing data
Legitimate interest is a preferred approach for many organizations because of its flexibility and applicability to any reasonable processing purpose.
In contrast, other legal bases of processing, such as demonstrable consent, center around a specific purpose the individual agreed to.
Legitimate interest is closely related to what that data subject can expect out of that relationship with the controller, which should be extremely clear.
If you choose to rely on legitimate interests, you are taking on extra responsibility for considering and protecting people’s rights and interests.
Organization’s should conduct a Legitimate Interest Assessment (LIA) by by performing a purpose test, a necessity test, and a balancing test.
Reasonable exceptions for legitimate interest can be shaped by transparency and clarity.
The four boxes you must check to leverage legitimate interest
Box 1. The processing is not required by law but is of a clear benefit to you or others.
An online retailer can promote a pair of sunglasses to someone browsing in hot location during the peak of the summer season.
Alternatively, an online store might use a visitor’s location data to offer a limited-time free shipping offer to the visitor’s area.
Box 2. There’s a limited privacy impact on the individual.
Most websites collect their visitors’ browsing data to optimize performance for the user. Often, this aligns well with the Legitimate Interests provision.
Collecting this data doesn’t pose a threat as long as it is anonymized.
Box 3. The individual should reasonably expect you to use their data in that way.
Some businesses will want to send communications via email or SMS to remind clients of upcoming appointments.
While it always needs explicit consent, most individuals expect their data to be used in this way.
Box 4. You cannot –or do not want to– give the individual full upfront control (consent) or bother them with disruptive consent requests when they are unlikely to object to the processing.
The use of second-party and third-party data can provide insights about the demographics of customers. This data can be used to identify target segments with personalized content.
When processing this data, you may not want to have to give full control over to the individual to determine what messages they want to receive, as they’re likely relevant to the person.
Do the benefits outweigh the risk for processing data?
Checking off each of these boxes is the single most complex aspect of leveraging legitimate interests as your basis for processing data.
Conducting a legitimate interests assessment is challenging because the logic to determine whether the benefits significance outweighs the risk to individuals is complex.
If the benefits outweigh the risks, then the organization may use legitimate interests as its basis for processing data.
The challenging part is that companies must quantify each side of the scale within subcategories of benefits and risks.
Privacy leaders could spend hours creating a spreadsheet to perform a balancing test for each business process that the company wants to establish legitimate interests as its basis for processing.
When multiplied by the total number of business processes a company has, the amount of time spent creating balancing tests could quickly amount to dozens or hundreds across the organization.
Understand the practical steps to manage the EU General Data Protection Regulation, including a compliance roadmap for implementation with the Essential Guide to the GDPR.
Download the guide