GDPR is here! Can you demonstrate that you comply? Find Out More
Skip to content

Legitimate Interests – A balancing Act

Balancing Woman

‘Legitimate interests’ is one of the six lawful bases for processing personal data and is regarded as the most flexible, as it can be used in many different circumstances. However, it is not necessarily the most appropriate in every case and it can be more difficult to satisfy the relevant criteria than some of the other legal bases. This is because you will need to consider, not only the interests of your organisation, but the rights, interests and freedoms of the individuals affected.

In reality, legitimate interests is best suited to situations where the individuals concerned are likely to have a reasonable expectation that your organisation will use their personal information in the way you have chosen to use it and where the impact to their privacy is likely to be a minimal.

If you choose to rely on legitimate interests, you will need to carefully balance the rights and interests of all parties concerned. The following 3 part legitimate interests test is useful for this purpose:

Purpose Test – You need to identify what the legitimate interest is. For example, you may believe it is in your legitimate interests to market your service or product.

Necessity Test – You need to assess whether you NEED to process the personal data in this way to achieve your goal. For example, do you need to conduct telemarketing to sell your product or service or can the marketing be done in a different, less intrusive way, such as online advertising or leaflet drops. If so, legitimate interests will not apply.

Balancing Test – You need to balance the interests of each party and assess whether the individuals’ interests override the legitimate interest identified. For example, in the case of marketing, you need to ensure that what you do is proportionate and will only have a minimal impact on an individual’s privacy and you do not use their personal data in a way that they are likely to object to. You also need to comply with the Privacy and Electronic Communications Regulations when conducting any form of electronic marketing, including marketing by email, text and live or automated voice calls.