GDPR Legitimate Interest

A core GDPR requirement is that any processing of personal data has a valid business purpose AND has one of the six lawful / legal basis that GDPR allows. Do read our knowledge base article on the GDPR legal basis topic for more information. Legitimate interest is one of six legal basis in GDPR that organisations can base their use of personal data on. GDPR legitimate interest includes an extra responsibility to protect individuals’ rights and interests in a legitimate interest assessment. The legitimate interest can be an interest in your organisation (operating an effective business) or one of your partners (serving efficient support services).

Before you can use legitimate interest as a legal basis, you will have to determine there is in fact a legitimate interest and that interest is justified. The Legitimate Interest Assessment (LIA) assessment can help you in this respect. You weigh the legitimate interest, the benefits, the privacy harms.

Step 1: Identify the Legitimate Interest

To use legitimate interest as a legal basis, there are initially two requirements. First, you must identify an interest. Second, that interest must be legitimate.

There is a connection between the interest and the purpose. Yet, they are still different. This, since the purpose relates to the processing activity while the aim of the interest is bigger. The interest can e.g. be societal, cultural, or economic.

A wide range of interests may be seen as legitimate including the legitimate interests of any third party. The most important part is that you as a controller can motivate why the interest is legitimate.

Step 2: The Necessity Test

Necessity is fundamental to data protection and works as a proportionality test. In your assessment of legitimate interest, you must research alternative methods. If so, you must assess the potential impact of the method on the data subject.

The necessity test is something that a controller might forget. If the controller has not researched alternatives the chosen method cannot be proportionate. As a result, you cannot do the balancing exercise.

Example: Why is the processing crucial to us? Are there alternative ways to reach the aim?

Step 3: The Balancing Test

The next step in the assessment of the legitimate interest, after researching alternatives, is to do a balancing exercise. This test attempts to weigh the interest of the data subject and the interest of the controller. Of course, the test is hypothetical. Since no one knows the exact interest of each data subject, the assessment includes what a data subject normally wants. In this case, privacy and respect for its fundamental human rights.