What is legitimate interest in the GDPR?
Under Article 6 of the GDPR, there are six lawful bases to process personal data. These are – consent, contractual, legal obligation, vital interest, public task and legitimate interest.
The legal basis of legitimate interest means that businesses (the data controller) can process personal data if they have a legitimate interest i.e. a valid reason for doing so. An example cited by Recital 47 of the GDPR says:
ā…the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interestā.
In Case C-13/16, the Court of Justice of the European Union (CJEU) noted that data processing based on ālegitimate interestsā is lawful only when three cumulative conditions are met:
- The interest pursued by the controller should indeed be ālegitimateā
- The data processed must be necessary
- There should be a balance between the controllerās legitimate interests and the fundamental rights and freedoms of the data subject