Legitimate Interests under the GDPR
26th July 2017
There are two distinctions to understand when it comes to the processing of personal data and whether you need to obtain permission or not from your client or customer. We have discussed consent in a previous article. This time we will focus on Legitimate Interest.
What is a legitimate interest?
There will be times where you don’t need to ask for consent to collect, store, use, disclose, destroy or otherwise ‘process’ personal information. When the processing is necessary for the performance of a contract, these are classed as legitimate interests.
Take the example of someone ordering online – in order for the company to fulfil the purchase, payment has to be taken and contact information, such as name, delivery address and telephone number, provided. The seller would also need to record the transaction.
In this scenario, it would be misleading to request consent for the processing of the information, as it is necessary in order for the company to fulfil its duty. The most appropriate avenue is to claim legitimate interest and disclose how you use the data provided in your privacy statement.
Indeed, there may be further options for the processing of this data, at which point the legitimate interest claim ends. If the company wished to pass on those contact details to a third party (beyond those that are required for the fulfilment of the contract) or save them for future marketing activity, consent would be required.
Having a legitimate interest for a set of personal data does not automatically entitle its use for another purpose e.g profiling.
Is direct marketing a legitimate interest?
Only if you have consent! And as mentioned in our previous article, consent much be explicitly given individually.
You may consider that direct marketing as a legitimate interest is ok under the consent already obtained for marketing. However, having a legitimate interest for a set of personal data does not automatically entitle its use for another purpose! Likewise, if you have consent for direct marketing, you do not have the authority to pass a customer’s data on to a third party or to use it for profiling.
There are a further set of standards to consider when looking at email marketing and those are set by the Privacy and Electronic Communications Regulations (PECR). The rights of the individual, with regards to marketing in particular, are not intended to be substituted by the GDPR. There are a higher set of permissions standards you must adhere to. The GDPR will not change this.
Are you aware that Sponge also offer GDPR compliance training for your employees?
How do I rely on it?
Essentially you must demonstrate that your business need to process their data is justified. You must tell individuals who you are, what you are specifically intending to do with their data and why you need it. This needs to be clearly stated when they are providing their information to you.
Look at the difference between what you do, your obligations to your customer and what their expectations are. This will inform you whether or not you can rely on legitimate interest.
Once you have a legitimate interest, it should be catered for further in your privacy notice. Multiple purposes should be expressed at the point of data collection and explained fully in the privacy notice.
You must give individuals genuine control over their data with the choices you provide.
The GDPR requires your privacy notice to be simple and written in plain English. This is especially important when your services are targeted at children, as they should be able to understand what will happen to their data once it has been provided. The message should be succinct and an option provided for a customer to read more information should they wish to. There are great examples of this to be found on Microsoft’s website and Facebook.
You cannot put something in the privacy statement that is unexpected. Enough information must be given upfront.
For example, Ben provides his data to a recruitment company. His expectation is that someone will review his CV and match him with potential employers. What he wouldn’t anticipate is for the company to create a publically accessible online profile. If this is the intention of the recruitment firm, as a legitimate interest, they must briefly state this at the point of Ben providing his information. He must have an option to find out more in the privacy statement.
These are the GDPR’s guidelines on what can be used as a legitimate interest. If you use any of the following, evidence of reasoning must be provided.
- You have consent from the individual concerned
- Your processing is necessary for the performance of a contract
- You are processing for data to comply with a legal obligation
- Your processing is necessary to protect the vital interests of a person
- The processing is in the public’s interest
- Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.