What is legitimate interest under the GDPR?

Blog
Can you use cookies to collect and process personal information about your website visitors without asking for their consent? Here we explain legitimate interest in 5 minutes.
Table of Contents
Legitimate interest is one of the most confusing concepts in the GDPR. However, it is important to understand if you manage a company website or work in marketing or sales.
The General Data Protection Regulation (GDPR) is all about data processing and measures to safeguard the data of EU citizens.
You need a lawful basis if you want to process EU citizens’ personal data.
And yes, sometimes, you can have a legitimate interest in processing data without consent.
But can you use your legitimate interest to use cookies on your website?
Let's take you through legitimate interest and cookies under the GDPR .

Legitimate interest - the short version

Processing data under “legitimate interests” requires that processing is absolutely necessary. If an alternative approach can fulfill the same goal without processing personal data, then processing is not lawful without consent.
Even if you deem processing to be necessary, legitimate interest must be weighed against your users’ fundamental rights and freedoms.
Legitimate interest can be used for fraud prevention, network and information security, threats to public security, or information necessary for a provider to act.

Do cookies fall under legitimate interest?

For direct marketing, cookies that collect and process website visitors’ personal information (first or a third party) are not likely to fall under the area of legitimate interest.

Why? Using cookies requires you to collect consent under the ePrivacy Directive ( "the Cookie Law" ) therefore, using cookies to process personal data (also by third parties) is unlawful under the GDPR without consent.

If you have not got the necessary consent, you cannot rely on legitimate interests instead.

If you want to use consent as a lawful basis for personal data collection and processing with cookies, Cookie Information can help you.

If you are unsure whether your website is GDPR compliant, get a free compliance check here!

What is a legitimate interest under the GDPR?

As a company or organization, you may need to process personal data to carry out tasks related to your business activities. The processing of personal data in that context may not necessarily be justified by a legal obligation or carried out to execute the terms of a contract with an individual. In such cases, the processing of personal data can be justified on the grounds of legitimate interest.

However, the requirements in the GDPR for claiming legitimate interest to collect and process people’s personal data are very strict.
Collecting and processing internet users’ (or people in general) personal information often requires their consent, according to the General Data Protection Regulation (GDPR). However, you can also process users’ personal data without asking for consent if you can claim – prove and document – a legitimate reason to do so.
Let us start by diving straight into Article 6(1) of the GDPR. It concerns the lawful basis of personal processing data.
  1. Processing shall be lawful only if and to the extent that at least one of the following applies:
    1. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
    2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
    3. processing is necessary for compliance with a legal obligation to which the controller is subject;
    4. processing is necessary in order to protect the vital interests of the data subject or of another natural person;
    5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
    6. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks

For most company websites; website owners and managers; marketers, and salespersons, considering whether their processing of personal data is lawful, only subparagraphs (a), (b), and (f) will typically apply:

ART. 6 (A, B, F)

Processing data under (f) “legitimate interests” requires that processing is necessary. If an alternative approach could fulfill the same goal without processing personal data, then processing is not lawful without consent.

Even if you deem processing a necessary, legitimate interest, it must be weighed against the internet users’ fundamental rights and freedoms.

If you would like to claim legitimate interest, you should be prepared to prove what legitimizes your interest with respect to the general interests of the internet user.
An opinion posted by Article 29 Data Protection Working Party, an independent advisory body to the EC, stated call-out that the legitimate interest ground under 6(f) should be avoided.

In this context, the Working Party also supports the principled approach chosen in the Proposed Regulation of broad prohibitions and narrow exceptions and believes in introducing open-ended exceptions along the lines of Article 6 GDPR, and in particular Art. 6(f) GDPR (legitimate interest ground) should be avoided.

Looking to learn more about data privacy and how to make your website GDPR compliant? Join one of our compliance webinars now!

Legitimate interest for direct marketing

Then, can you use legitimate interest for direct marketing?
Recital (47): “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”.
The last line of recital 47 of the GDPR could give website owners and marketeers carte blanche to profiling internet users and processing all their data without asking. However, this is not the case.

(47) The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller.

Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place.

The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing. Given that it is for the legislator to provide by law for the legal basis for public authorities to process personal data, that legal basis should not apply to the processing by public authorities in the performance of their tasks.

The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.

The key thing to notice in recital 47 is the verb “may” in characterizing situations that could but do not necessarily or automatically justify lawful data processing.
The recital suggests an example where you (website owner and data controller) may be able to justify data processing for your customers provided that your customer “can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place”.
The Recital goes on to specify that the customer would not reasonably expect further processing of this data in the future.

Let's take a look at an example:

Were you to give the customer a choice to opt out of letting you process the personal information (the address). You would risk being unable to carry out your business task (delivering the pizza).
Therefore, the last sentence in Recital (47) “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest “does not mean that you – or your third-party services – by default can collect and process data for profiling and marketing purposes without consent.
Instead, you must follow the requirements in (a) by collecting consent if the data you collect is going to be used by processors (third-party services) for marketing purposes.

Can I claim a legitimate interest in using cookies?

The problem is that the ePrivacy Directive controls the use of cookies, and the GDPR controls the data that cookies process.

Confusing right? Yes, but essentially it means that if you use cookies on your website, you need your users’ consent. Therefore, you cannot afterward claim a legitimate interest in processing (or letting third parties process) the data without consent.

I.e., your website’s use of cookies falls under the lawful basis of consent (article 6(a)).
Valid consent is – with respect to Recital 32 of the GDPR – a “freely given, informed, specific and unambiguous indication of the data subject’s agreement to the processing of personal data. “.
That is, the user must explicitly give consent.
Therefore, if you use third-party services on your website that set cookies for online profiling and direct marketing, you are ill-advised to stick to Recital 47 and skip collecting consents.
The Recital does not allow for direct marketing or third-party processing to track visitors’ behavior-based on-site visits, email engagement, IP addresses, geolocation, online identifiers, etc., for marketing purposes.
Recital (70) rejects the possibility of claiming a legitimate interest in processing personal data for marketing purposes.
According to Recital 70, the internet user has the right to object to the processing of personal data, including profiling used for direct marketing.
Suppose you want to use third-party services which collect and process personal information for marketing purposes. In that case, you need freely given consent (see Recital 32) unless you can prove and document an actual legitimate interest.

(70) Where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing, including profiling to the extent that it is related to such direct marketing, whether with regard to initial or further processing, at any time and free of charge.

That right should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.

And remember, using cookies requires you to collect consent (ePrivacy Directive). Therefore, processing personal information (both by first- and third parties) is unlawful under the GDPR without valid consent.

Legitimate interest summarized

Suppose you would like to collect and process website visitors’ personal information and use this for direct marketing and/or share this information with third-party services who use it for online behavioral profiling. In that case, you have to decide whether or not your data collection and processing fall under your business’ legitimate interest or if it requires user consent.
If the former, you have to prove and document legitimate interest.
If you claim legitimate interest, it requires planning and strategic thinking on your part. Before you process any data under legitimate interest, it is important that you follow a number of steps.
If you cannot prove legitimate interest, you have to obtain valid consent from the user.
The requirements for consent are described in Recital 32 (must be “clear, affirmative, freely given,” i.e. explicitly given by the user).
Using legitimate interest for cookies is not an option (only for strictly necessary cookies – not Google Analytics).
Merely informing users’ that your site uses cookies is far from enough. You must give users an option to decline being tracked by cookies and AdTech companies, and you are required to store your visitors’ consents if you are subject to inspection by the Data Protection Authorities.
It is necessary that we take the GDPR seriously. The regulation defines how we as businesses can collect and process our visitors’ and customers’ personal information and still respect their right to online privacy.

Are you uncertain whether you have a legitimate interest in collecting and processing personal data, stick to Article 6(a), and get consent? It is easy to obtain a professional website solution that collects and stores GDPR valid consent. Best of all, you do not have to worry about the legitimacy of data processing if the user has given his or her consent.

Book a compliance meeting

Want to know more about legitimate interest or whether you can or cannot claim legitimate interest when using cookies? 

Book a short talk with our compliance experts. 

morten-ertner