GDPR: Alleging “legitimate interests” to process data for marketing purposes
If legitimate interest is often seen as the most convenient method relied upon by organizations for processing data, it is also one of the most litigated areas at both the European level and the national level in the EU. In this article we explore the particular use of legitimate interest to justify the processing of personal data for marketing purposes.
Overview: what are the lawful bases for processing personal data under the GDPR?
The General Data Protection Regulation (GDPR) requires that any processing of personal data be done “lawfully, fairly and in a transparent manner in relation to the data subject”.
Article 6 §1 of the GDPR provides six lawful bases on which an organization may process personal data in compliance with the GDPR.
In plain terms, this means that an organization may not collect, use, or do anything with the personal data of an EU resident unless one or more of the six legal justifications below applies. If you are processing sensitive personal data, you should not rely on these bases as there are additional, more stringent requirements.
The six lawful bases include:
- The organization has explicit consent from the data subject
- The processing is necessary to perform a contract the organization has entered into or is about to enter into with the data subject
- The organization has a legal obligation to process such data
- The processing is necessary to “protect the vital interests of the data subject or another natural person”
- The processing is necessary for public interest
- The processing is necessary for the legitimate interests of the organization, except where such interests are overridden by the interests or fundamental rights of the data subject.
Determining which legal basis applies to your organization
Most organizations seeking to process personal data will fall under (a), (b), and (f). Organizations processing personal data for marketing purposes will be limited to (a) and (f). While (a) may seem like a simple solution, it often is difficult and expensive to execute actually obtaining proper, explicit consent from every data subject.
To avoid the trouble and expense of obtaining consent, organizations have started looking to legitimate interest as their lawful basis. The issue, however, is that they often rely on legitimate interest without being able to provide an explanation for why their purpose is legitimate. While this standard can be helpful because of its flexibility, determining what purposes qualify can be challenging since it is unclear.
Does my processing fall under legitimate interest?
The Article 29 Working Party (“WP29”), an independent European advisory board that advises on data protection and privacy, released a guide to assist organizations in navigating the legitimate interest legal basis. The guide emphasizes that the “legitimate interest” standard should not be used as a fallback if processing doesn’t fall within the first five legal bases, and that it provides a balancing test to help controllers determine the legitimacy of their processing.
Organizations must conduct a 3-part Legitimate Interest Assessment (LIA) prior to processing to determine if the processing qualifies as a legitimate interest:
- Purpose: Is there a legitimate purpose for the processing?
- Necessity: Is this type of processing necessary to accomplish that legitimate purpose?
- Balance: Is this legitimate interest strong enough to override the data subjects’ rights?
This prong asks what the organizations’ purpose or motivation behind the processing is. The legitimate interests must be “sufficiently and clearly articulated” so that the balancing prong of the three-part test can be properly executed. Examples of legitimate interests include providing competent requested service, fraud prevention, ensuring security, or identifying criminal or public security threats. More information can be found here.
Questions you should ask yourself include:
- What is your goal in processing the data?
- Who will benefit from this processing?
- How important are those benefits to the parties?
- What would the impact be if you were not permitted to process such data?
- What are the potential ethical or legal issues?
Necessity refers to the relationship between the processing and the purpose expressed. An organization should be able to prove that there is no less intrusive method of processing to achieve the same result by justifying what, how, and how much they are processing. The organization should identify what types of personal data are being processed and narrow the scope of processing to only what is necessary for their stated legitimate purpose.
Questions you should ask yourself include:
- How does this processing further your goal or purpose?
- Would the data subject reasonably anticipate this method of processing?
- Are there any other less intrusive ways to go about the processing?
Article 6 (f) of the GDPR states that an organization may process personal data for their legitimate interests “except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject”. Essentially, this means that an organization relying on legitimate interest for its processing must balance their interest with the legal rights of the data subject, in addition to any personal interests a data subject might claim.
Questions you should ask yourself include:
- What is the nature of your relationship with the data subject?
- What risks are involved with the processing of this type of data?
- What safeguards are in place to protect the data subject?
In summary, legitimate interest will be strongest where the data subject reasonably expects this processing and where there is a minimal impact on the data subject.
How do I rely on legitimate interest for my marketing communications?
The GDPR states that “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”
To process personal data for marketing purposes, organizations must still complete the same three-part test, however there are additional considerations. Primarily, using the basis that the marketing benefits the data subject because it offers them promotions or discounts is not strong enough to prove an organization’s legitimate interest in processing their data.
Opting out: Article 21 of the GDPR grants data subjects the absolute right to object to direct marketing. An organization conducting business for legitimate interests would need to show compliance by providing an opt-out mechanism and informing data subjects of this right.
Electronic Communications: Certain e-privacy laws, like the UK Privacy and Electronic Communications Regulation (PECR), may require consent from data subject prior to sending any electronic communications. Under these circumstances, legitimate interest is insufficient, and the organization must obtain explicit consent prior to sending any communications.
Below is an example from the ICO, the UK data protection regulator, site regarding how to conduct the balancing test on processing for marketing purposes:
“A charity wants to send fundraising material by post to individuals who have donated to them in the past but have not previously objected to receiving marketing material from them.
The charity’s purpose of direct marketing to seek funds to further its cause is a legitimate interest.
The charity then looks at whether sending the mailing is necessary for its fundraising purpose. It decides that it is necessary to process contact details for this purpose, and that the mailing is a proportionate way of approaching individuals for donations.
The charity considers the balancing test and takes into account that the nature of the data being processed is names and addresses only, and that it would be reasonable for these individuals to expect that they may receive marketing material by post given their previous relationship.
The charity determines that the impact of a fundraising mailing on these individuals is likely to be minimal however it includes details in the mailing (and each subsequent one) about how individuals can opt out of receiving postal marketing in future.”
I have a legitimate interest in processing this personal data. Now what?
Documenting your legitimate Interests
In addition to completing the 3-part test and determining the legitimate interest behind each type of processing, under the GDPR “accountability principle” organizations bear the burden of demonstrating and documenting their LIAs and compliance. The Article 29 Working Party encourages organizations to be as thorough as possible while recording this process so that data subjects, data authorities, and regulators can see that the organization has adequately considered the interests and risks for all parties.
Organizations must be specific and identify a legitimate interest for every individual type of processing that occurs. For example, it is not sufficient to say that IT generally processes employee personal data for the legitimate interest of security; each type of data processed by IT must be identified and justified individually.
Make your legal bases publicly available
Organizations relying on legitimate interest for processing are required to post, on their privacy notice, a detailed explanation of what is being processed, what legitimate interests are being relied on, and an explanation of how data subjects may opt out.
Some defined terms:
- Data Subject: A person physically residing in the EU whose information is being processed.
- Processing: Anything done to personal data, including: collecting, storing, modifying, structuring, sending, using, accessing, and deleting.
- Personal Data: Any information that can be used to directly or indirectly identify an individual.
- Sensitive Personal Data: Personal data about race, ethnicity, political opinion, religion, philosophical beliefs, trade union membership, genetic data, biometric data, health data, sexual orientation, or sex.
Learn more in our GDPR Glossary.
This article has been written in collaboration with Monica Meiterman-Rodriguez