Over the last few months, with the effective date of the GDPR and the implementation of its requirements into the business compliance programs, many non-professionals have made serious mistakes. The panic and the short-deadline are the main reasons for that, however, it is time to take a closer look into the sense of the Regulation and to implement it as it should be. Determining the correct lawful basis for processing is of great importance as it is further in accordance with the ‘lawfulness, fairness and transparency’ principle.
Among the most common mistakes is the use of “Consent” as lawful basis for processing, without taking under consideration the most appropriate lawful basis for processing in the given case simply because “Consent” is considered the safest basis. This is not correct and could result into annulling the Consent and therefore the basis for processing.
The GDPR gives six lawful basis for processing and there is a reason behind this.
This series of articles regarding the lawful basis for processing will examine the characteristic of each and every one of them and further specify the cases where the given lawful basis should and should NOT be used.
Today we will take a look at the first one – Legitimate interest.
The Legitimate basis is known and already applied since the time of the 1995 Directive. It is explained in Recital 30 and Article 7(1)(f) of the 1995 Directive stating that “the processing is permitted if it is necessary for the purposes of legitimate interests pursued by the controller (or by a third party to whom the data are disclosed) except where the controller’s interests are overridden by the interests, rights or freedoms of the affected data subjects.”
This principle is further developed in the GDPR, where in Recital 47 and Article 6(1)(f) is stated: “Processing is permitted if it is necessary for the purposes of legitimate interests pursued by the controller (or by a third party), except where the controller’s interests are overridden by the interests, fundamental rights or freedoms of the affected data subjects which require protection, particularly where the data subject is a child.”
This does not apply to processing carried out by public authorities in the performance of their duties.
As a result, “Legitimate interest” remains a lawful basis under the GDPR as it was under the 1995 Directive. However, processing carried out on this basis may be subject to objections from data subjects. There are two big differences: Since the effective day of the GDPR (25th of May 2018) parental permission is required to process the personal data of children (and specified that a child is anyone under the age of 16). Therefore, in some cases like online communication providing proof that parental permission has been obtained could be challenging.
“1.Processing shall be lawful only if and to the extent that at least one of the following applies: (f) Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
“1.Processing shall be lawful only if and to the extent that at least one of the following applies:
(f) Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
Unlike the other lawful basis, which are centred either on performing a contract with the individual, complying with a legal obligation, protecting vital interests or carrying out a public task, legitimate interest is not centred around a particular purpose and is a basis for processing requiring no prior consent from the individual.
Legitimate interest is more flexible and could in principle be applied to any type of processing for any reasonable purpose. Here is one good reason not to use Consent all the time!
The ICO has provided a detailed guidance on how to recognise if legitimate interest is the right legal basis for processing by inventing and applying the three-part test.
The Three-Part Test
The three-part test is not explicitly explained in the text of the GDPR, however it could be found in the text of the article, explaining Legitimate interest:
2) …the purposes of the legitimate interests pursued by the controller or by a third party, …
3)…except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
The ICO’s guidance further suggests the following division and order:
- Purpose test– is there a legitimate interest behind the processing?
- Necessity test– is the processing necessary for that purpose?
- Balancing test– is the legitimate interest overridden by the individual’s interests, rights or freedoms?
This concept is not an ICO invention. It was in fact first developed in a decision of the Court of Justice of the European Union for the Rigas case (C-13/16, 4 May 2017) at times when the 1995 Directive was still in force. However, since the legitimate interest provisions in the 1995 Directive and in the GDPR are quite similar, the three part test could be applied in the context of the GDPR as well.
Since the practical cases where the legitimate interest lawful basis are hard to explain theoretically, it’s best to illustrate this with a few examples:
A bank wants to process personal data to spot fraudulent accounts used for money laundering transfers on the basis of legitimate interest.
Firstly it considers the purpose test. It is in the bank’s legitimate business interests to ensure that its customers do not launder any money. However at the same time the bank’s other customers and the public in general also have a legitimate interest in ensuring that fraud is prevented and detected.
As it has met the purpose test the bank can then go onto consider the necessity test and then the balancing test.
Although any purpose could potentially be classified as relevant, that purpose must furthermore be ‘legitimate’. Anything illegitimate, unethical or unlawful is not a legitimate interest. For example, although cold email marketing may in general be a legitimate purpose, buying phone numbers on potential clients and calling them is not legitimate.
In case the application of the test shows that the interest is not legitimate then conducting the other two parts of the test is useful, as obviously the legitimate interest lawful basis cannot be applied.
The GDPR doesn’t have an exhaustive list of what purposes are likely to constitute legitimate interest. Such information could be found in the text of the recitals:
- Fraud prevention;
- Ensuring network and information security; or
- Indicating possible criminal acts or threats to public security
- Processing employee or client data;
- Direct marketing
- Administrative transfers within a group of companies.
When is processing ‘necessary’?
In order for the legitimate interest lawful basis to be used, a necessity needs to be demonstrated for the purposes of the legitimate interests you have identified. The necessity doesn’t need to be absolutely essential, but it must be a targeted and proportionate way of achieving your purpose.
In conducting the “Know your Customer” procedures, the bank is processing personal information sometimes not only of the given client, but also of his family (even as an emergency contact or a back-up contact). The bank considers this necessary, as it has plenty of cases in the past where an authorisation for money transfer over the phone was conducted via a stolen phone. For this reason the bank believes it is necessary for avoiding fraudulent schemes like this to process personal data of next of kin or other close relatives who are not direct clients of the bank.
If the given organisation, in our example the Bank, is unable to demonstrate that the processing is helpful to meet the legitimate interest, then the Necessity test is unsuccessful and proceeding with the third test is unnecessary.
What is the balancing test?
The last part of the test is the determination of whether the processing of personal data is balanced with “the interests or fundamental rights and freedoms of the data subject which require the protection of personal data”. In practise, this is a risk assessment to check if any risks to individuals’ interests are proportionate.
What are the individual’s ‘interests, rights and freedoms’?
This category could be defined as extremely broad and in practice includes data protection and privacy rights, as well as fundamental rights from the Charter of Fundamental rights of the European Union.
A bank – credit and financial institution – is unable to locate a customer who has stopped making payments under his mortgage. The bank starts a procedure in engaging a debt collection agency to find the customer and seek repayment of the debt. For this reason, the bank shared the personal data of the customer with the debt collecting agency.
The bank has a legitimate interest in recovering the debt it is owed and in order to achieve this purpose it is necessary for them to use a debt collection agency to track down the customer.
The bank implements the balancing test and concludes that it is reasonable for its customers to expect that they will take steps to seek payment of outstanding debts. It is clear that the interests of the customer are likely to differ from those of the bank in this situation, as it may suit the customer to evade paying their outstanding debt.
However, the legitimate interest in passing the personal data to a debt collection agency in these circumstances would not be overridden by the interests of the customer. The balance would be in favour of the bank.
Legitimate interests and marketing
It should be noted that in the marketing sphere, especially direct marketing is where the legitimate interest lawful basis for processing should be applied with great caution.
Over the last couple of months the businesses have struggled with the application of some GDPR requirements concerning B2B relationships. On the legitimate interest matter the ICO has already given some clarification, and the answer is yes – the legitimate interest lawful basis applies to the B2B business relationship whenever some personal data of the employees are involved. The three-part test still needs to be applied, however the ICO states that the business contacts are more likely to expect the processing of their personal data in a business context, and it’s less likely to have a significant impact on them personally.
Stay tuned for part 2!
 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Available at: http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML
 The Article is inspired by the ICO’s guidance, available here: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/what-is-the-legitimate-interests-basis/
 Charter of Fundamental Rights of the European Union, available here: http://www.europarl.europa.eu/charter/pdf/text_en.pdf