Legitimate Interests is one of the more common legal grounds for a controller to process personal data. Legitimate interest is different from consent; it is not processing that the individual has specifically agreed to; it is not processing linked to a specific purpose (like the one specified in a contract with the individual (contract as a legal ground to process will be discussed in a future blog); it is flexible and could theoretically apply to any type of processing. Since consent is more restrictive under the GDPR, some think of legitimate interest as the catch all basis for processing personal data. This view is incorrect.
In order to decide whether legitimate interest can be used as a legal ground to process personal data, you must conduct a balancing test to determine whether:
- The impact on individuals overrides the organization’s legitimate interests
- If the impact on individuals overrides the organization’s legitimate interests, safeguards sufficiently minimize the impact on individuals
- If safeguards do not sufficiently minimize the impact on individuals and security risks exist, security measures sufficiently minimize the impact on individuals.
If safeguards and security measures do not sufficiently minimize the impact on individuals, then legitimate interest cannot be used as the legal ground to process. In order for processing of personal data to proceed, another legal basis for processing must exist.
It is not only the organization’s legitimate interests. It could also be the legitimate interests of any third party. The “third party” could be third party organizations or third party individuals. Also, the legitimate interests of the public in general may play a part when deciding whether the legitimate interests in the processing override the individual’s interests and rights. If the processing has a wider public interest for society at large, then this may add weight to your interests when balancing those against those of the individual.
If you think you want to use legitimate interest as the legal ground to process personal data, then you will have to do a legitimate interest assessment. You must perform the legitimate interest assessment before you start processing the personal data. How to conduct a legitimate interest assessment will be discussed in the next Blog.
This blog is the 19th in a series of blogs that explains, in bite size pieces, what needs to be done to put the GDPR into practice and how GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool, can help SMEs implement the GDPR and demonstrate their implementation.