The GDPR provides a “legitimate interest” exception to the use personal data. This exception allows companies to use personal data without obtaining consent from the data subject. Although this exception has gained traction lately, the idea of an organizations’ legitimate interest is processing personal data is not a new one. The exception first appeared in Article 7 of the Directive 95/46/EC, which the GDPR replaced. The exception is cited in Article 6 (f) which states:
“Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
Recital 47 states that “the legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing.” This means that the subject of the interest is of little importance, so it can be our own interest, third party interest or even commercial interest. When adding the 6(f) languages, the interest can be overridden by the interest or fundamental freedoms of the data subject.
A legitimate interest can be found in preventing fraud, direct marketing and even when the data subject would have a reasonable expectation that information will be processed.
When deciding if your company can process user data without consent under the legitimate interest exception it is recommended that controllers assess the necessity, purpose and balance of the processing.
The necessity prong asks the question is the processing necessary to achieve certain things core to a reasonable business purpose? Otherwise stated, do we really need to control this data to meet this end goal? If there was another way to meet the same end, then controllers must take it.
The purpose question seeks to ensure that controllers are wanting to use the legitimate interest exception for a legitimate interest. The IAPP has a few resources that talk about which purposes fit best within the exception. Employee data, security information, or collecting information for legally required reasons? All fall within the legitimate interest exception. It can apply in some marketing settings as well, but consent mechanisms are still worthwhile.
The balance test is the most important when it comes to having a legitimate interest. You can satisfy necessity and purpose; however, the interest of the data subject must be weighed against the controllers’.
If it is determined that the exception would cause the data subject too much harm, or would not align with what they reasonably expected, then controllers may be denied this exception. To note, controller and data subjects do not always have to have congruent interest. If a controller can justify the request and the potential harm the subject may face then they are not automatically disqualified from the exception for a balance issue.