This post is also available in: SK (SK)

Legitimate interests may appear to be the most flexible legal basis for the processing of personal data.

Its advantage is that

  • it is not bound to a specific purpose by the GDPR (it is, therefore, applicable to different situations),
  • provides a more stable legal basis for processing than consent, which can be revoked at any time by the data subject (of course, there is a possibility to object even in the case of legitimate interests, but objection must be justified),
  • it makes you think about the risks of your processing for the data subjects and take security measures (thus fulfilling the requirement of “privacy by default” or “privacy by design”) or it makes you decide that you are required to carry out a data protection impact assessment (DPIA),
  • its proper use allows you to avoid so-called “consent fatigue” and bombarding individuals with consent requests.

However, you cannot automatically assume that you can use this legal basis at any time.

First of all, it must be emphasized that processing must be necessary. If you can achieve the same result in another less intrusive way, legitimate interests will not apply. If you are a public authority, you cannot rely on legitimate interests in the performance of your tasks.

Legitimate interests are most likely to be an appropriate legal basis in cases where you use the data in ways that people could reasonably expect and which have minimal privacy impact, or if you demonstrate that the processing has a significant advantage, benefit or importance. Legitimate interests may be your own interests or the interests of third parties (e.g. business interests, individual interests or wider social benefits).

 On the contrary, you should avoid using this legal basis in cases where you intend to use the data in a way that people do not understand or would not reasonably expect, or if you would expect to receive objections to processing. You should not use this basis also in cases where the processing could cause harm to the data subjects and you are not sure whether there is a compelling reason to continue processing that justifies such harm. Legitimate interests are also disqualified if the processing would be contrary to legal or ethical standards or if you do not have a clearly defined purpose for the processing (e.g. you only store the data in case you might need it in the future). Legitimate interests will also not be an appropriate legal basis if you are not sure whether the rights and interests of individuals outweigh your legitimate interests, or if there is another, more appropriate legal basis for processing.

 If you choose to rely on legitimate interests, you are responsible that the rights and interests of the individuals involved will be properly considered and protected, and you must be prepared for the amount of work to be done before processing begins.

Before starting processing, you must perform a so-called legitimate interest test, which has three parts. You can learn more about this test in our article How to process personal data correctly based on “legitimate interest”.

You must keep records of the assessment of your legitimate interest to help you demonstrate the compliance of your practices with the GDPR. You must include information about your legitimate interests in your information addressed to data subjects or in the privacy policy.

It is important to note that although the GDPR directly mentions some processing operations, which could be considered as performed in the legitimate interests (e.g. direct marketing, intra-group transfers, etc.), even this demonstrative enumeration does not relieve the controller from the obligation to carry out a test of legitimate interest and to duly inform the data subjects.

This article is for general and informational purposes only, and the conclusions, opinions or recommendations presented herein may not apply to a specific situation. The article does not constitute legal advice or replace it. When solving a specific problem or situation, we always recommend consulting a lawyer.