Legitimate Interest – what do we need to assess?
Legitimate interest is one of the six possible ways to justify (“legitimise”) doing anything (collecting, analysing, sharing, storing) with personal information.
GDPR Article 6(1)(f)
Processing shall be lawful only if…at least one of the following applies…
(f) Processing is necessary for the purposes of the legitimate interests pursued by the controller (or by a third party)
except where such interests are overridden by
the interests or fundamental rights and freedoms of the data subject which require protection of personal data (in particular where the data subject is a child).
Please note: this Assessment Tool only considers legitimate interests.
It assumes you have already assessed whether you can, or should, be relying on legitimate interests as the basis for processing personal information. Please use Protecture’s “lawful basis decision tree” to consider which lawful basis is most suitable for the processing you are considering.
Legitimate Interest and transparency
You will be required to publish the outcome of this Assessment. This is because the GDPR requires us to inform people, when we collect their personal information, of
the purposes we are going to use their information for,
the legal basis (i.e. legitimate interests in this case) and
what interests we are pursuing.
GDPR Article 13(1)
Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:
(c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
(d) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;