What are GDPR Legitimate Interests?
The UK GDPR defines six legal bases under which personal data can be processed. Article 6(1)(f) refers to legitimate interests as a lawful basis for processing where “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
A controllers’ interests can be defined as an advantage or benefit to them, or a stake in the processing or outcome. It is because of these ‘interests’ that the UK GDPR warrants an evaluation when using this legal basis, with Recital 47 stating “the existence of a legitimate interest would need careful assessment”.
When Should You Use Legitimate Interests for Processing Personal Data?
Relying on legitimate interests as the grounds for processing personal data is only lawful when such processing is necessary, and any controller interests are not outweighed by the rights and freedoms of the individual. The UK GDPR also notes that legitimate interests cannot be relied upon by public authorities in the performance of their tasks.
The UK GDPR mandates the documenting of any legitimate interests’ assessment and decision. An organisation is also required to record in their privacy notice any legitimate interests pursued by the controller or by a third party where processing is based on point (f) of Article 6(1). A Legitimate Interests Assessment Template can help to keep the review consistent and compliant.
Legitimate Interests 3-Part Test
The Information Commissioners Office (ICO) have defined a 3-part test for assessing the use of legitimate interests, breaking those parts down into: –
- Purpose – documenting the purpose of the processing and what function it serves for the controller provides the basis for identifying any legitimate interest(s) and documenting them.
- Necessity – a business must be able to demonstrate that processing is necessary and evidence that there is no less intrusive way to achieve the same result.
- Balancing – the final stage is to balance the processing against the individual’s interests, rights and freedoms and ensuring that the individual’s interests do not override that of the controller.
GDPR Toolkit & Data Protection Policy Templates
We provide market leading UK GDPR Bundles and Toolkits with customisable data protection templates to suit every industry and business type. With thousands of organisations already using our GDPR policy templates, you can be assured of high quality, professional documents. Our 11-page Legitimate Interests Assessment (LIA) Template is provided in the GDPR Bundle and GDPR Toolkit, along with all mandatory GDPR template policies and procedures.