What is Legitimate Interest in GDPR?

You may have heard a lot about consent, in relation to the General Data Protection Regulation (GDPR), which becomes a reality in May 2018. But, this is not the only reason organizations and companies may be entitled to process personal data. There is also legitimate interest to be considered.

Detailed guidance regarding legitimate interest is not expected to be provided until next year. But, there are some basic facts that businesses should be aware of before then.

What Does Legitimate Interest Mean?

Legitimate interest exists when a business or organization can show that it has a legitimate reason for processing the personal data of an individual. This can be with or without the consent of the individual, depending on the situation. It is important to note that the fundamental rights and freedoms of an individual must always be considered when processing personal data.

Examples of Legitimate Interest

One of the most obvious examples of legitimate interest is when a company uses personal data they already hold for the purposes of direct marketing. Data that was obtained before the introduction of the GDPR can be used for this reason, as long as it was provided in a consensual way to begin with and the individual can reasonably expect it to be used.  There must be consent and it must be clear that the consent is for marketing purposes.  The personal data can not be collected for other reasons (for example, billing) and then reused for marketing without explicit consent. If a business has any doubts about whether legitimate interest is a sufficient reason to process personal data, it is best to seek consent from the individual.

Personal data can also be processed at the request of certain third parties; often for legal or financial reasons. If a business or organization processes personal data for this reason, they need to be assured that the personal freedoms of the individual are always considered.

Legitimate interest is not always a strong legal justification for using personal data, especially when it comes to direct marketing.