How to use legitimate interest under the GDPR: recent clarifications from the regulator

But does interest equal legitimacy? Let’s find out with the help of the European Data Protection Board’s (EDPB) new guidelines on legitimate interest.

Conditions for applying the grounds

Article 6 of the GDPR sets out an exhaustive list of grounds that companies can rely on when processing personal data. Legitimate interest has become popular because it is easy to apply, and less burdensome than, for example, consent. It is also focused on the controller. We take the desire of businesses to take care of office security. Combine it with the processing of data from video surveillance cameras – and voila, the business no longer collects consent, but uses “legitimate interest”. However, the world of data protection is not as rosy as businesses would like it to be. 

In October 2024, the EDPB reminded that in order to process data on the basis of legitimate interest, three cumulative conditions must be met, it is required to ensure that:

1. The interest of the controller or third party was legitimate;
2. The processing of personal data was necessary for the purposes of the legitimate interest;
3. The legitimate interest overrides the rights of the data subjects.

The complexity of the test seems to grow exponentially: each subsequent step is more difficult than the previous one, and is not guaranteed at all. For example, the existence of a legitimate interest does not mean that it is absolutely necessary. Each condition of the test is subject to a proper assessment by the company that applies the legitimate interest. It is important that such an assessment should take place before data processing, not after the fact. 

Is the company's interest legitimate?

Simply identifying an interest as legitimate does not mean that it actually is. Neither legislation nor EU soft law offers an exhaustive list of what can be called a legitimate interest. Therefore, companies have to make their own legitimacy assessment. And this is where the EDPB does not create innovative approaches, but rather suggests referring to the test of its predecessors, the Article 29 Data Protection Working Party:

• The interest is lawful
• The interest is clearly and precisely articulated
• The interest is real and present, not speculative

Let’s take a situation where a company sells goods online and wants to process the data of its website users in order to show them products according to their individual preferences. Such an interest is lawful (it does not contravene the law), clear (the policy on the website says that by analyzing the most frequently viewed products, it is possible to adapt the offer to the needs of users) and real (this is how the company makes decisions about the assortment and marketing).

What kind of data processing is necessary?

What is this necessity? In simple terms, it is necessary to find out whether the organization can reasonably satisfy its interest as effectively as possible, but by other means, less restrictive of the fundamental rights and freedoms of data subjects. In fact, this is a matter of alternatives. If the goal can be achieved by collecting less data, then it is a total win-win. The services are provided efficiently, no one interferes in people’s lives unnecessarily, and the company uses a legitimate interest for its own purposes. Is it justified? It is, and it is quite necessary.

So whose rights or interests prevail?

Finally, balancing. The most difficult and final part of the legitimate interest assessment requires taking into account a number of criteria, such as

• the rights and interests of the data subjects,
• their legitimate expectations,
• type of data,
• the impact and consequences of processing.

Such a balancing act is necessary to avoid situations where companies disproportionately affect people through their “good purpose” and data processing.

The impact on human rights can also be indirect. The consequences of such impacts may not necessarily be immediately identifiable through direct causation. Those responsible for the proper processing of data should make a little more than a mediocre effort to assess the impact of processing. For example, the constant online monitoring of activities on an internet platform can cause a feeling that a person’s private life is constantly “under surveillance.”

A company that decides why to process data should consider all possible consequences, e.g:

• potential decisions of third parties regarding the data,
• legal consequences of processing,
• financial losses,
• discrimination, and other risks to human rights and freedoms.

This should be an objective assessment of reality. It is necessary to compare all potentially important points for the client or end user and make sure that the interest of the organization does not harm people in the process. This is how fairness is achieved even in seemingly technically uncomplicated data processing operations.

How to record the results of the assessment

Companies are required to conduct and report on legitimate interest assessments to comply with the accountability principle of Article 5(2) of the GDPR. The result is formed in the form of an LIA (legitimate interest assessment). Moreover, the assessment must be made before the company actually processes personal data of a particular type.

The relationship between legitimate interest and the rights of data subjects

But there’s a caveat: simply conducting an LIA is not enough to apply legitimate interest. The company must comply with all the rights of data subjects as defined in Articles 12-23 of the GDPR. The application of legitimate interest must be understandable to the average person (and sometimes even to a child, if their data is processed), convincing, and specific to each processing case.

Companies should clearly communicate their intentions regarding the processing of personal data. This means creating clear and accessible policies that explain

• what data is collected,
• for what purpose it is used and
• on what legal basis the processing takes place,
• and what rights subjects have when their data is processed.

For example, a person should understand that they can unsubscribe from marketing mailings at any time by expressing their desire in the manner specified by the company. 

Special types of processing

Legitimate interest is not a convenient excuse for all cases. It cannot be stretched to cover everything. At the very least, stricter and more restrictive rules for data processing often apply. For example, children may not fully realize the consequences of processing data about them, so you need to be more careful when processing their data.

Or, when it comes to fraud prevention, you can process a minimum of data in order not to harm the subject in the future. Controllers should be specific about the type of fraud they are trying to prevent. Therefore, they need to clearly understand whether they really need the data for this purpose. For example, checking the CVs of potential employees to ensure that the certification promised by the candidate is true is a justified legitimate interest. However, collecting information about candidates’ personal lives that has nothing to do with their professional activities is far from being a justified measure.

Finally, when processing for direct marketing purposes, it is necessary to ascertain whether the marketing communications pursue a commercial purpose and are addressed directly to the consumer and not to an indefinite number of persons.

Any conclusions?

Businesses should not treat legitimate interest as a last resort among other grounds that for some reason could not be applied. Legitimate interest requires a high-level assessment. It is not just to make sure that companies are handling personal data responsibly. Its purpose is to protect people’s rights both at the time of processing and in the future.