What is legitimate interest in the GDPR?
Under Article 6 of the GDPR, there are six lawful bases to process personal data. These are – consent, contractual, legal obligation, vital interest, public task and legitimate interest.
The legal basis of legitimate interest means that businesses (the data controller) can process personal data if they have a legitimate interest i.e. a valid reason for doing so. An example cited by Recital 47 of the GDPR says:
“…the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”.
In Case C-13/16, the Court of Justice of the European Union (CJEU) noted that data processing based on “legitimate interests” is lawful only when three cumulative conditions are met:
- The interest pursued by the controller should indeed be “legitimate”
- The data processed must be necessary
- There should be a balance between the controller’s legitimate interests and the fundamental rights and freedoms of the data subject