The General Data Protection Regulation ("GDPR") is the primary legislation in Europe governing personal data processing. While the GDPR imposes significant changes on businesses, including fines of up to 4% of global revenue or 20 million euros, it also expands the rights of data subjects, such as the "right to be forgotten". In a world where privacy is "by design," the goal is to give individuals more control over their private data.
Given that explicit consent is fundamental for data processing, "legitimate interest" is one of the exceptions and the most flexible legal foundation for processing.
We approach it with caution due to its flexibility and fragility. We closely monitor European governmental and regulatory agencies and have adapted our operations to their standards.
An 'interest' can be considered 'legitimate' if the Controller can pursue it in a manner consistent with data security and applicable laws.
Legitimate interest is defined in both Article 6 1(f) and Recital 47 of the GDPR. Recital 47 explicitly mentions marketing purposes as legitimate: “…the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate aim.”
However, this does not imply that all processing for commercial reasons is permissible. You must demonstrate that your processing meets the requirements for necessity and balance.
Given that people have the right to object to marketing strategies per Article 21(2), it becomes harder to pass the balancing test if you do not provide consumers with a clear choice to opt out of direct marketing at the time their information is collected (or in your initial communication if the information was not gathered directly from them).
Legitimate interests may be your own or those of third parties. They may be commercial, individual, or societal in nature.
You must weigh your interests against those of others. If they did not reasonably anticipate the processing or if it would result in unjustifiable harm, their interests are likely to take precedence over your legitimate interests.
Yes. This form of processing is legal if legitimate interests justify it, but you must follow the three-part Legitimate Interest Assessment criteria.
Consider using legitimate interests as a legal justification for such processing. You must define the exact reason for processing and ensure it is genuinely essential for that purpose.
If you pass the first two components of the three-part test, you must also pass the balancing test. You may find it straightforward, as business contacts are more likely to expect processing of their personal data in a commercial context, and the processing is less likely to have a significant impact on them personally.
For additional information on the legitimate interest principle and its assessment test, which we strictly follow in our business operations, please see this guide or contact us via email.