Using legitimate interest for marketing under the GDPR is more difficult than you might think

GDPR legitimate interest marketing

The GDPR and the fact that it gives data subjects the right to be forgotten has become a hurdle for marketers. To make things a little more interesting, it is not an absolute right and there are circumstances where a request to be forgotten can be denied—it’s called legitimate interest.

What is the legitimate interest exception and what does it mean for marketing?

Legitimate interest is the exception the GDPR provides as a way for businesses to process personal information for direct marketing without consent.

So, what happens when someone wants to be forgotten and you think that their interest it too legit.. to quit?

Too Legit to Quit


Once the request is made your company has a month to reply. If your company wants to rely on legitimate interest to continue marketing, then your interest cannot be detrimental to the interest of the data subject. Legitimate interest has to be worth overriding the wishes of the data subject. If it’s not?




Your company has the burden of showing why its interests are paramount. Try using something like the Data Protection Network’s Legitimate Interest Assessment to make that determination. The assessment includes three steps: identifying legitimate interest, a necessity test and a balancing test.

If after taking the assessment your company finds that there is a legitimate interest in continuing the process the information, then you must notify the data subject. (I wonder how they’ll take that? ) This notification must include why you are not taking the requested action, and inform them of their right to seek judicial remedy.


Forget or do not contact? What’s the best way to comply with a right to be forgotten?

Businesses need workflows in place that rapidly respond to data subjects requests to be forgotten. These workflows need to ensure forgotten subjects are never contacted again. Controversially, to some this can include retaining email addresses while deleting other personal information (name, address etc.). Keeping email addresses in a do not contact list may help make sure they are never contacted. These lists need to be secure and properly labeled.

There should also be a clear line of communication and protocol in place to inform 3rd parties that the data subject has requested to be forgotten.


Start building consent management and right to be forgotten workflows now.

The GDPR will be enforceable May 25, 2018, which as of the publishing of this blog is less than a month away. PactSafe Consent Management helps you build customized workflows for request for erasure. Recently Kyle Robbins JD, Legal Solutions and Privacy at PactSafe hosted a webinar around building GDPR compliant workflows with a month to go. Read the webinar summary or watch the recording by clicking here.

New call-to-action 

Don’t miss out!

Want the latest news, tips and best practices for high-velocity acceptance? Subscribe to our newsletter.