Article 6 of the General Data Protection Regulation (EU) 2016/279 (GDPR) strictly requires data controllers who undertake any processing activity to have a valid lawful basis for processing in place before the onset of processing. Of the six lawful bases available, Article 6(1)(f), legitimate interest provides data controllers the most flexible approach to the requirement of lawful basis as it is not tied to a specific purpose. This theoretically allows the data controller more freedom when designing, implementing and running their processing operation.
However, this enhanced freedom is not without its limitations and challenges. In this piece we examine the concept of legitimate interest under the GDPR and how organisations can ensure full compliance with the GDPR when relying on legitimate interest.
When is Legitimate Interest an Appropriate Lawful Basis of Processing?
From the text of the GDPR, Article 6(1)(f) reads:
“Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
Due to the weakened position of the data subject when their data is processed is under legitimate interest, an extra layer of accountability and responsibility is required on the part of the data controller. Consideration must be paid to the protection of the rights and freedoms of these data subjects. Typically, legitimate interest will only be appropriate where:
- The processing operation would have a minimal privacy impact on the individual
- The individual whose data is being processed would reasonably expect it to be done so in this way; and
- The processing is of clear benefit to your organisation or others.
Whilst not expressly required in the GDPR, examining the wording of Article 6(1)(f) and its requirements we can devise a three-part-test for evaluating the appropriateness of legitimate interest. This three-part-test is as follows:
- Identify the legitimate interest (the Purpose test)
- Show that the processing is necessary to achieve it (the Necessity test); and
- Balance the legitimate interest against the data subject’s interests, rights and freedoms (the Balance test).
The Purpose Test
The first step is to document the purpose of the proposed processing operation, and what function it will serve for your organisation. Defining and documenting the purpose enables the data controller the means for establishing the most appropriate legal basis for processing. Should you still wish to pursue legitimate interest once the purpose test is complete, move onto the necessity test.
The Necessity Test
When relying on legitimate interest, processing must be targeted and proportionate to the objective of the proposed processing operation. The golden rule here is that legitimate interest will not be the appropriate basis for processing if the same objective can be achieved in a less intrusive way, such as on the basis of consent etc. If this cannot be proved, move onto the final test – the balance test.
The Balance Test
The final step to is to weigh up the interest, rights and freedoms of data subject’s whose personal data your organisation intends to process against the benefit processing under legitimate interest will provide. This will require documented evidence to show that the data subject’s interests have been considered and are compatible with your organisation’s processing vision.
Conducting a Legitimate Interest Assessment
Conducting a Legitimate Interest Assessment (LIA) is a great way for your organisation to properly evaluate the three-part test and see if legitimate interest is the most appropriate lawful basis of processing for the proposed processing operation. Although not formally required by the GDPR undertaking a LIA serves as an excellent way to document your organisations commitments to protection the rights and freedoms of the data subjects whose data you intend to process, in line with the principle of accountability.
The assessment itself is a series of questions which works systematically across the three-part test and is designed to evaluate the risks of legitimate interest in the proposed processing operation, identifying shortfalls in privacy which may arise. As you work through the test, any risks identified are entered into a risk log which can be examined and remedied to ensure maximum compliance with the GDPR.
Trilateral Research has developed its own LIA template, which is available to organisations considering legitimate interest as a lawful basis of processing.
For more information please refer to our service pages or contact our Data Governance team
