In the fourth instalment of whether you are ready for GDPR, we consider the lawful basis of legitimate interests.
Legitimate interest forms the sixth and final legal basis upon which business and organisations can lawfully process personal data. It is perhaps the most flexible of all the lawful bases, and whilst it should not be treated as a last resort for rare or unexpected situations, it should not automatically be chosen, or its use unduly extended, on the basis that it can be considered to be less constraining than other grounds.
Article 6(1)(f) of the Regulation defines legitimate interest as;
“Processing is necessary for the purpose of the legitimate interests pursued by the controller or by a third party, except where such interest are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child”
The application of this lawful basis, mirrors, to some extent the current lawful basis for processing personal data found in the Data Protection Act 1998, together with article 7(f) of the previous EU data protection directive (95/46/EC).
Its use is likely to be appropriate in circumstances where data is being used in a way in which individuals would expect and which would have minimal privacy impact. Opinion as to the definition of legitimate interest, under the existing statutory framework, has been given by the working group tasked with the implementation of GDPR with further definition being given in a judgment of the Latvian Court in early 2017 following a further opinion of the EU Advocate General Bobek (Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde v Rīgas pašvaldības SIA 'Rīgas satiksme', Case C-13/16, 4 May 2017).
Based on these opinions and judgments, it is probable that in determining the application of legitimate interest a three-part test will need to be satisfied;
•The pursuit of a legitimate interest by the data controller or by the third party or parties to whom the data are disclosed – Purpose Test – are you pursuing a legitimate interest?
•The need to process the personal data for the purposes of the legitimate interests pursued – Necessity Test – Is the processing necessary for that purpose?
•That the fundamental rights and freedoms of the person concerned do not take precedence – Balancing Test – Do the individual’s interests override the legitimate interest?
To bolster the position under the current legislation the GDPR specifies as Recital 47 that;
“The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding taking into account the reasonable expectations of data subjects based on their relationship with the controller…”
To assess the appropriateness of its application as a lawful basis it is considered that a legitimate interest impact assessment is undertaken, where the three-stage test can be applied.
The legitimate interest test, and in turn the impact assessment should be undertaken prior to the commencement of processing. A record of this assessment should be kept to evidence and document that a review has been undertaken, and so that organisations can be satisfied that the legitimate interest is not overridden by the risks identified to those of the individual.
Use and reliance on legitimate interests should be avoided therefore in any situation or circumstance where the use of personal data occurs in a way that the data subject would not understand or expect.
If you would like to explore whether the use of legitimate interest as a lawful basis for processing personal data would be appropriate to your business then please do not hesitate to contact Richard Burraston on 01293 596984 or on Richard.firstname.lastname@example.org or Paul Dungate on 01293 596981 or by e-mail at email@example.com .