Understanding Legitimate Interests v. Consent
Under the General Data Protection Regulation (GDPR) Data Controllers must have a lawful basis for processing any personal data.
Article 6(1) of the GDPR states that the following 6 are the recognised lawful grounds for data processing:
The individual has opted in and consented to having his or her personal information processed.
- Contractual Obligation
It is necessary to process the personal data to fulfil your contract or precontractual obligations.
- Legal Obligation
It is necessary to process the personal data to fulfil a legal obligation.
- Vital Interests
It is necessary to process the personal data to protect the vital interest of the individual or another individual.
- Public Task
It is in the exercise of official authority or within the public’s interest to process the personal data.
- Legitimate Interests
Processing of the personal data is necessary under the Legitimate Interests of the Data Controller or Third Party, unless these interests are overridden by the individual’s interests or fundamental rights.
If you are a data controller you must be able to prove that one of the above is the purpose of your data processing. Neither one has a different weighting to the other, they are all equally lawful reasons to process personal data. So, whether you have ‘opt in consent’ or can prove that processing personal data is within the public’s interest, then you are equally compliant under GDPR regulations.
In preparation for GDPR you need to identify each data pool you hold, HR, clients, prospects, websites, suppliers etc and clearly record what lawful condition for processing you are relying upon – more than one may apply to each data pool, and in fact different records within each data-set.
What is a ‘Legitimate Interest’?
Legitimate Interest is explained in great detail within Recitals 47 – 50 of the GDPR and can be summed up as a benefit(s) the Controller may gain from processing the data; a Controller must record the fact that they are relying upon legitimate interest, and it is recommending that a Legitimate Interest Impact Assessment (LIA) be performed, for reasons which will become clear later. According to the Article 29 Working Party, who represent the Data Protection Supervisory Authorities, the legitimate interest should be clearly defined and should not be too vague. For example, ‘to gain a profit’ is a not a legitimate reason in this sense! An interest is considered legitimate only if the Controller can pursue it in a way that complies with the current data protection laws.
It is also important to note that the Legitimate Interest of the Controller must be offset to the fundamental rights and interests of the individual (or individuals) affected by the processing. This is called the ‘Balance of Interests Condition’, and it is the Controllers duty to ensure that these interests or fundamental rights held by the individual are not overridden.
Examples of ‘Legitimate Interests’
- Direct Marketing
It is perfectly acceptable to process personal information which has been fairly and lawfully obtained for traditional direct marketing purposes, by this we mean postal letters. If you process data for electronic marketing purposes you need to rely on consent and not legitimate interests and also consider the PECR legislation.
If you send direct marketing and someone unsubscribes from your list, it may be necessary for you to hold and process personal information on this individual to ensure that you uphold their request. This type of information should be held on a ‘suppression file’ to ensure you are compliant with GDPR.
Processing personal data as part of an anti-fraud measurement is both in the interests of the Data Controller but also in the interests of their customer, it is therefore a valid Legitimate Interest of both and meets GDPR requirements as a lawful basis for data processing. Legitimate interests also allows employers and companies to monitors their networks for unusual activity and to prevent cyber-crime.
- Human Resourcing
If the personal data of employees is processed to drive decisions, such as the best options for staff benefits, then this meets the GDPR’s criteria of a Legitimate Interest. Processing personal data for other purposes will probably come under the contractual clause condition, or the processing personal data because it is required by statute or law.
How does the ‘Legitimate Interests’ as a basis of data processing impact the individual’s rights?
Right to erasure… If Controllers use Legitimate Interests as their lawful basis of data processing, then, unlike in the case of Consent, the individual does not have an automatic right to erasure. The right to erasure would only apply if the Controller could not justify the legitimacy of the processing after the individual had objected to the processing.
Right to object… If Controllers use Legitimate Interests as their lawful basis of data processing, then the individuals have a right to object to the processing. In some cases, the objection would be sufficient for their data to be erased. However, due to the Balance of Interests Condition, the objection may not be sufficient to override the Controllers Legitimate Interests.
It is the Controller’s duty to ensure there is an easy and clear way for the individuals to object and request erasure. This method must also be recorded and filed, should the information need to be presented in the event of an investigation.
When the GDPR comes into effect in May next year, if you choose to use Legitimate Interests as a lawful basis of data processing (without Consent also being obtained) then you must start to prepare sooner rather than later. You must ensure that you can clearly illustrate that any intended data processing post GDPR is both necessary and meets the Balance of Interests Condition, or you could face fines from the ICO.
If you’d like to discuss whether your data processing intents meet the requirements for ‘Legitimate Interests’, or would just like to know more, then give us a call today, 01673 885533 or email us [email protected]. We’re here to help.