GDPR: Four questions about data and 'legitimate interests'

legitimate interests.jpgOn this date next year, the General Data Protection Regulation will have come into force across Europe and, even with Brexit on the horizon, in the UK, too.

Over the last few months we have covered some of the frequently asked questions about marketing consent, data subject rights and data profiling. This week we look at 'legitimate interests'.

Currently, the guidelines relating to what constitutes as 'legitimate interests' can differ between EU countries. However, an independent advisory board suggests the following assessment take place before any decision is made to process personal data:

  • Determine if an interest is legitimate or illegitimate
  • Determine whether processing is necessary to achieve the interest pursued
  • Assess whether a data controller's interest is overridden by fundamental rights or interests of the data subjects
  • Establish any additional safeguards
  • Demonstrate compliance and ensure transparency

While these requirements will remain broadly equivalent under GDPR, data processors will need to be aware of new stipulations, including:

  • The interests and rights of children. Data processors will have to ensure that any 'legitimate interest' uses are carefully documented and a risk assessment has been conducted
  • 'legitimate interests' can no longer be relied upon by public authorities (a national, state or local governmental agency) in relation to data processed by them in the performance of their tasks

1. What are 'legitimate interests'?

Examples of when processing could be permitted include fraud prevention, internal administrative purposes, ensuring network and information security, and reporting possible criminal acts.

2. Will I be required to keep records?

If you are a controller that relies on ‘legitimate interests’ for data collection, then a record will be needed to show that proper consideration has been given to the rights and freedoms of data subjects.

Read more about GDPR

3. Can all businesses use the 'legitimate interest' route?

As mentioned, public authorities cannot use the 'legitimate interest' route. 'Legitimate interest' can only be used for post and telephone marketing. Other methods (email, SMS and automated calls) require consent.

4. Can individuals object to this form of data collection?

Data subjects have the right to object to processing under legitimate interests. Individuals can unsubscribe/opt out of the processing of their personal information. You will also have to check if the individual is registered on any suppression lists before contacting them. 

GDPRAre you prepared for GDPR? BlueVenn GDPR Assessments

What stage are you at with your preparations for GDPR? Our compliance specialists can help assess the condition of your database and offer assistance with issues relating to contracts, policies and other marketing practices.

To find out more, please click the link below or email us at 

GDPR Assessment 

Topics: GDPR Article