Legitimate interest - the short version
For direct marketing, cookies that collect and process website visitors’ personal information (first or a third party) are not likely to fall under the area of legitimate interest.
If you have not got the necessary consent, you cannot rely on legitimate interests instead.
If you want to use consent as a lawful basis for personal data collection and processing with cookies, Cookie Information can help you.
What is a legitimate interest under the GDPR?
As a company or organization, you may need to process personal data to carry out tasks related to your business activities. The processing of personal data in that context may not necessarily be justified by a legal obligation or carried out to execute the terms of a contract with an individual. In such cases, the processing of personal data can be justified on the grounds of legitimate interest.
- Processing shall be lawful only if and to the extent that at least one of the following applies:
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks
ART. 6 (A, B, F)
Consent or legitimate interest?
Processing data under (f) “legitimate interests” requires that processing is necessary. If an alternative approach could fulfill the same goal without processing personal data, then processing is not lawful without consent.
Even if you deem processing a necessary, legitimate interest, it must be weighed against the internet users’ fundamental rights and freedoms.
In this context, the Working Party also supports the principled approach chosen in the Proposed Regulation of broad prohibitions and narrow exceptions and believes in introducing open-ended exceptions along the lines of Article 6 GDPR, and in particular Art. 6(f) GDPR (legitimate interest ground) should be avoided.
Legitimate interest for direct marketing
(47) The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller.
Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place.
The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing. Given that it is for the legislator to provide by law for the legal basis for public authorities to process personal data, that legal basis should not apply to the processing by public authorities in the performance of their tasks.
The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.
Let's take a look at an example:
Can I claim a legitimate interest in using cookies?
(70) Where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing, including profiling to the extent that it is related to such direct marketing, whether with regard to initial or further processing, at any time and free of charge.
That right should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.
Legitimate interest summarized
Are you uncertain whether you have a legitimate interest in collecting and processing personal data, stick to Article 6(a), and get consent? It is easy to obtain a professional website solution that collects and stores GDPR valid consent. Best of all, you do not have to worry about the legitimacy of data processing if the user has given his or her consent.
Book a compliance meeting
Want to know more about legitimate interest or whether you can or cannot claim legitimate interest when using cookies?
Book a short talk with our compliance experts.