Table of Contents
There are six lawful grounds for processing personal data under the GDPR: consent, contract, legal obligation, vital interests, public task and legitimate interest. Processing data using “legitimate interest” is an important concept to understand for both data subjects and entities that collect and process data (i.e., “controllers”). Legitimate interest refers to processes undertaken by a controller that are essential and important enough to qualify as lawful grounds for storing, using and collecting personal data. The scope of legitimate interest is very broad, but it requires companies to explicitly explain and document their decision-making. This process allows companies a chance to assess how they process and utilize data, and use that assessment to seek out a compelling argument for keeping those processes and personal data safe, ensuring the continuity of business operations.
Article 6 1(f) of the GDPR addresses legitimate interest:
[P]rocessing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of Personal Data, in particular where the data subject is a child.
Recital 47 discusses legitimate interest further:
The legitimate interests of a controller, including those of a controller to which the Personal Data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller.