What businesses need to know about legitimate interest under GDPR

The UK Domain explain one of the six lawful bases under GDPR, legitimate interest, using common scenarios to show where it could apply

Despite the General Data Protection Regulation (GDPR) coming into force over two years ago, there are still some elements of the legislation that can be confusing to businesses without a dedicated legal department. An example is ‘legitimate interest’, one of the six lawful bases for personal data, and the focus for this article.

Today, we’re going to explain what legitimate interest is and share a couple of scenarios of where it could apply.

What is legitimate interest?

In order to collect, store, process and use personal data, you need to have a valid lawful basis for doing so. Within GDPR, there are six lawful bases under which businesses can collect and process personal data, and you must choose the most appropriate of these to your specific task or activity.

Legitimate interest is often referred to as the broadest and most flexible basis, but must fulfil these three criteria:

  1. The identification of a legitimate interest behind the processing
  2. A necessity to process the information required to fulfil the legitimate interest
  3. Does the legitimate interest override the rights and freedoms of the individual data subject?

A legitimate interest can be the interests of yourself or your business, if the processing of personal data is necessary to achieve this, and there isn’t another (less intrusive) way of gathering the data needed.

This does not mean using legitimate interest allows businesses to collect and use personal data for any purpose. A good checking point is to ask yourself: “would the data subject reasonably expect us to hold and use this data and be happy for us to do so?”. If your answer is no, it is very likely you won’t be able to use the legitimate interest basis to process data.

To help demonstrate what counts under this basis, here are some common scenarios:

1. Responding to an enquiry

If a customer has asked your business for more information about your products or services, by means such as filling in a contact form or providing you with contact details, this contact information can be used to respond to that enquiry.

After all, the customer will have a reasonable expectation that you’ll use their data to respond as they made the request.

2. Protecting your business’ interests

If the actions of a third-party is having a negative impact on your business, such as an unpaid invoice, you can process that party’s information to ensure you can chase and receive payment.

3. Adding value for a customer

An example of this scenario may be using data to inform an existing customer that their contract is due for renewal or part of their subscription is due to change.

What about legitimate interest and marketing?

The use of legitimate interest for marketing is one of the most confusing scenarios. The framework states that: “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”

Again, this doesn’t mean that a business can use legitimate interest to permit all manner of marketing endeavours and activities.

Let’s look at an example. If you already hold a GDPR-compliant database of people who have opted in to communications and given the right permissions for marketing, sending a new promotion or information about a similar product or service could constitute legitimate interest.

Because the prospects have already opted in and indicated support of your use of their data, legitimate interest may be a lawful basis for future communications in the same manner, but you should note it is more difficult to pass the balancing test if you do not give individuals a clear option to opt out of direct marketing when you initially collect their details or when you send follow up communications.

Of course, if a customer has already opted out or unsubscribed, you can’t use legitimate interest to contact them again and they must remain removed from all marketing communications.

It’s important to make sure you really consider whether your marketing activity falls into legitimate interest. Try putting yourself in the shoes of your customers and seeing what your reaction and feelings would be if you received those extra communications.

While legitimate interest might be appropriate for some of your marketing activities or scenarios you may find your business in, it’s important to remember the fundamental aim of the GDPR legislation: to protect personal data. It’s better to protect and use personal data correctly and remain compliant with the law than risk having a complaint, fine or bad publicity.

The ICO website has further information on legitimate interest and don’t forget to ensure your business is compliant with all areas of the legislation.

This article was brought to you in partnership with the UK Domain


The information in this article is for general guidance about data protection rules and is not legal advice. We have tried to ensure that this guidance is accurate and relevant as at September 2020. However, Nominet UK will not accept liability for any loss, damage or inconvenience arising as a consequence of any use of or the inability to use any information contained in this guidance.

Read more

Data protection and GDPR: what are my legal obligations as a business?

Brenden Grant

Partner Content

Related Topics

Business continuity