ICO’s Guidance on legitimate interests

This guidance aims at helping controllers “to decide when to rely on legitimate interests as … basis for processing personal data and when to look at alternatives.”

The entire Guidance is helpful but particularly helpful are the sections:

Are there cases when legitimate interests is likely to apply?

The GDPR highlights some processing activities where the legitimate interests basis is likely to apply:

    • processing employee or client data;
    • direct marketing; or
    • intra-group administrative transfers.

Can we use legitimate interests for employee or client data?

Yes, in some cases, but it does not always apply and you need to consider the three-part test. Recital 47 of the GDPR says:

“…Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller.”

and section “When should we avoid choosing legitimate interests?.

The ICO gives the following examples of situations in which legitimate interest is not an appropriate basis:

    • you are a public authority and the processing is to perform your tasks as a public authority;
    • your processing does not comply with broader legal, ethical or industry standards;
    • you don’t have a clear purpose and are keeping the data ‘just in case’ (in this case your processing is not compliant on any basis);
    • you could achieve your end result without using personal data;
    • you don’t want to take full responsibility for protecting the interests of the individual, or would prefer to put the onus onto the individual;
    • you intend to use the personal data in ways people are not aware of and do not expect (unless you have a more compelling reason that justifies the unexpected nature of the processing);
    • there’s a risk of significant harm (unless you have a more compelling reason that justifies the impact);
    • you’re not confident on the outcome of the balancing test;
    • you would be embarrassed by any negative publicity about how you intend to use the data; or
    • another lawful basis more obviously applies to a particular purpose. Although in theory more than one lawful basis may apply to your processing, in practice legitimate interests is unlikely to be appropriate for any processing purpose where another basis objectively applies.

Read the entire Guidance at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/


More information: Francesca Giannoni-Crystal