Legitimate interest is one of the most confusing concepts in the GDPR. However, it is an important concept to understand if you manage a company website, work in marketing or sales.
The General Data Protection Regulation (GDPR) is all about data processing and measures to safeguard the data of EU citizens.
If you want to process EU citizens’ personal data, you need a lawful basis.
And yes, sometimes you can have a legitimate interest in processing data without consent.
Let’s take you through legitimate interest and cookies under the GDPR.
Legitimate Interest - the short version
Processing data under “legitimate interests” requires that processing is absolutely necessary. If an alternative approach can fulfill the same goal without processing personal data, then processing is not lawful without consent.
Even if you deem processing to be necessary, legitimate interest must be weighed against the fundamental rights and freedoms of your users.
If you still like to claim legitimate interest, you should be prepared to prove what legitimizes your interest in respect to the general interests of your user.
Legitimate interest can be used for fraud prevention; network and information security; threats to public security or information necessary for a provider to carry out an action.
What about cookies?
Cookies which collect and process website visitors’ personal information (first or third party) for direct marketing do not likely to fall under the area of Legitimate Interest.
Why? Using cookies requires you to collect consent under the ePrivacy Directive (“the Cookie Law”), therefore using cookies to process personal data (also by third parties) is unlawful under the GDPR without consent.
If you have not got the necessary consent, you cannot rely on legitimate interests instead.
If you want to use consent as a lawful basis for personal data collection and processing with cookies, Cookie Information can help you.
What is legitimate interest under the GDPR?
As a company or organization, you may need to process personal data in order to carry out tasks related to your business activities. The processing of personal data in that context may not necessarily be justified by a legal obligation or carried out to execute the terms of a contract with an individual. In such cases, processing of personal data can be justified on grounds of legitimate interest.
However, the requirements in the GDPR for claiming legitimate interest to collect and process people’s personal data are very strict.
Collecting and processing internet users’ (or people in general) personal information often requires their consent, according to the General Data Protection Regulation (GDPR). However, you can also process users’ personal data without asking for consent if you can claim – prove and document – a legitimate reason to do so.
Let us start by diving straight into Article 6(1) of the GDPR. It concerns the lawful basis of processing personal data.
- Processing shall be lawful only if and to the extent that at least one of the following applies:
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks
For most company websites; website owners and managers; marketers and sale persons, considering whether their processing of personal data is lawful, only subparagraphs (a), (b), and (f) will typically apply:
ART. 6 (A, B, F)
Consent or legitimate interest?
Processing data under (f) “legitimate interests” requires that processing is absolutely necessary. If an alternative approach could fulfil the same goal without processing personal data, then processing is not lawful without consent.
Even if you deem processing to be necessary, legitimate interest must be weighed against the internet users’ fundamental rights and freedoms.
If you would like to claim legitimate interest, you should be prepared to prove what legitimizes your interest in respect to the general interests of the internet user.
An opinion posted by Article 29 Data Protection Working Party, an independent advisory body to the EC stated call-out that the legitimate interest ground under 6(f) should be avoided.
In this context, the Working Party also supports the principled approach chosen in the Proposed Regulation of broad prohibitions and narrow exceptions and believes that the introduction of open-ended exceptions along the lines of Article 6 GDPR, and in particular Art. 6(f) GDPR (legitimate interest ground), should be avoided.
Legitimate interest for direct marketing
Then, can you use legitimate interest for direct marketing?
Recital (47): “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”.
The last line of recital 47 of the GDPR could give website owners and marketeers carte blanche to profiling internet users and process all their data without ever asking. However, this is not the case.
(47) The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller.
Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place.
The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing. Given that it is for the legislator to provide by law for the legal basis for public authorities to process personal data, that legal basis should not apply to the processing by public authorities in the performance of their tasks.
The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.
The key thing to notice in recital 47 is the verb “may” in characterizing situations that could, but do not necessarily or automatically justify lawful data processing.
The recital suggests an example where you (website owner and data controller) may be able to justify data processing for your customers, provided that your customer “can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place”.
The recital goes on to specify that the customer then would not reasonably expect further processing of this data in the future.
Let’s take a look at an example:
Were you to give the customer the choice to opt-out to letting you process the personal information (the address), you would risk not being able to carry out your business task (delivering the pizza).
Therefore, the last sentence in Recital (47) “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest“ does not mean that you – or your third-party services – by default can collect and process data for profiling and marketing purposes without consent.
Instead you must follow the requirements in (a) by collecting consent if the data you collect is going to be used by processors (third-party services) for marketing purposes.
Valid consent is – with respect to Recital 32 of the GDPR – a “freely given, informed, specific and unambiguous indication of the data subject’s agreement to the processing of personal data “.
That is, consent must be explicitly given by the user.
Therefore, if you use third-party services on your website which set cookies used for online profiling and direct marketing, you are ill-advised to stick to Recital 47 and skip collecting consents.
The recital does not allow for direct marketing or third-party processing to track visitors’ behavior based on site visits, email engagement, IP-addresses, geolocation, online identifiers etc. for marketing purposes.
Actually, Recital (70) rejects the possibility of claiming legitimate interest processing personal data for marketing purposes.
According to Recital 70, the internet user has the right to object to the processing of personal data including profiling used for direct marketing.
If you want to use third-party services which collect and process personal information for marketing purposes, you need a freely given consent (see Recital 32) unless you can prove and document an actual legitimate interest.
(70) Where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing, including profiling to the extent that it is related to such direct marketing, whether with regard to initial or further processing, at any time and free of charge.
That right should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.
And remember, using cookies requires you to collect consent (ePrivacy Directive). Therefore, processing personal information (both by first- and third parties) is unlawful under the GDPR without valid consent.
Legitimate interest summarized
If you would like to collect and process website visitors’ personal information and use this for direct marketing and/or share this information with third-party services who use it for online behavioral profiling, you have to decide whether or not your data collection and processing fall under your business’ legitimate interest or if it requires user consent.
If the former, you have to prove and document legitimate interest.
If you claim legitimate interest, it requires planning and strategic thinking on your part. Before you process any data under legitimate interest, it is important that you follow a number of steps.
Link: Steps to claim legitimate interest under the GDPR (external link)
If you cannot prove legitimate interest, you have to obtain valid consent from the user.
The requirements for consent are described in Recital 32 (must be “clear, affirmative, freely given” i.e. explicitly given by the user).
Using legitimate interest for cookies is not an option (only for strictly necessary cookies – not Google Analytics).
It is necessary that we take the GDPR seriously. The regulation defines how we as businesses can collect and process our visitors’ and customer’s personal information and still respect their right to online privacy.
Are you uncertain whether you have a legitimate interest to collect and process personal data, stick to Article 6(a), and get consent? It is easy to obtain a professional website solution that collects and stores GDPR valid consents. Best of all, you do not have to worry about the legitimacy of data processing if the user has given his or her consent.
Book a compliance meeting
Want to know more about legitimate interest or whether you can or cannot claim legitimate interest when using cookies?
Book a short talk with our compliance experts.