Legitimate interests is one of the lawful bases for using personal data. We recommend you rely on legitimate interests or contract as the lawful basis, rather than consent.
You’re likely to use legitimate interests if there is a minimal impact on the person’s privacy.
You need to follow a three-part test to show that you’ve chosen the right lawful basis. This is called a legitimate interests assessment (LIA).
The ICO have a sample LIA template to assess whether legitimate interest is the right lawful basis for you data processing.
Identify a legitimate interest
Legitimate interests can include, for example:
- client data
- IT security
- fraud prevention
Legitimate interests can be those of a controller or a third party.
Show it’s necessary
You must be able to show why it’s necessary to use personal data to achieve your objective. The ICO has more on when processing counts as necessary.
Balance it against the person’s interests
You must balance the legitimate interests against your client’s interests, rights and freedoms.
If your client would not ‘reasonably expect’ you to use the data in the way you’re using it, or if it could cause ‘unwarranted harm’, their interests are likely to override your legitimate interest.
You can read more on balancing legitimate interests on the ICO website.
Recording your decision
Once you’ve completed the three-part test, you need to record your decisions. You also need to tell your client (the data subject) the details of the controller’s or third party’s legitimate interests. This can be done:
- by writing to them
- by telling them
To rely on legitimate interests for marketing, you need to show that:
- using someone’s data will have a minimal impact on their privacy
- they are not likely to object to you using their data
You may need consent for electronic marketing.
See the ICO’s guidance on electronic and telephone marketing
You can rely on legitimate interests when using children’s data but you should take extra care to make sure their interests are protected. The information in your privacy notice needs to be age-appropriate.
See the ICO’s guidance on children and the GDPR
Data to a third party
You may rely on legitimate interests to disclose personal data to a third party. These might be your own interests, the interests of a third party, or both.
You should consider:
- why they want the information
- if they need it
- what they’ll do with it
If the three-part test is passed, you can rely on legitimate interests for the disclosure.
See more information on legitimate interests on the ICO website
> Next section: Contract as lawful basis