Legitimate Interests
2017
Guide 8The General Data Protection Reform
www.communicatorcorp.com 2
Share this guide
Legitimate Interest introduced in the GDPR 4PECR
Legitimate interests for data processing
Demonstrating ‘reasonable expectation’ 7
Legitimate Interest balanced with individual’s rights 8
Giving individuals the right to object 9Legitimate interest’s limitations
Legitimate interest vs consent
Summary: Information, Choice and Proof 13What it means for your data processing
In this guide
www.communicatorcorp.com 3
Share this guide
The GDPR sets out the requirements and conditions for collecting, storing and using personal data in a fair
and lawful way, listing six grounds for lawfulness of processing;
• Consent
• Legitimate interest pursued by a controller
• Necessity for fulfilment of contract
• Legal obligation
• Necessary for vital interests of the data subject
• Necessity for performance of a task in the public interest
On Legitimate Interests, Article 6 of the GDPR text gives us this information:
Legitimate Interest introduced in the GDPR
• The individual has given consent for the
processing of their personal data for
specific purposes;
• Or, processing is necessary for the
performance of a contract with the individual;
• Or, processing is necessary for legitimate
interests of the controller or by a third
party, balanced with the interests and
fundamental rights and freedoms of
the individuals
• Balanced with the privacy and expectations
of the individual set by the time and
context of the data collection, there may
be legitimate interest for the controller
to process the data without consent
where there is a relevant and appropriate
relationship between the individual
and controller.
• The processing of personal data for direct
marketing purposes may be regarded
as carried out for a legitimate interest,
subject to the balance [as defined above]
and the right to object to marketing and
associated profiling.
• This right [to object to marketing and
profiling] shall be explicitly brought to the
attention of the individual and shall be
presented clearly and separately from any
other information.
Data shall be processed only when…
To put this into context, recitals 38, 56 and 57 explain further…
www.communicatorcorp.com 4
Share this guide
PECR
Legitimate interests for data processing
With email and SMS marketing PECR defines the consent standards required for lawful marketing using
electronic communications. PECR and GDPR are not interchangeable or a substitute for each other, but
work in collaboration. With PECR setting high permission standards, email and SMS marketers must obtain
explicit consent through a ‘positive affirmative action’ with a simple unsubscribe process. The GDPR doesn’t
change this.
The GDPR increases consent standards, requiring firms to provide detailed information about their intended
processing, in order for consent to be “informed”. Informed consent is simple in some scenarios, such as
collecting an email address to add an individual to a mailing list. A simple lightbox signup form, like the below,
does it perfectly…
Occasion Outfitters Boutique example
To any Email and SMS marketers who read ‘processing of personal data for direct marketing purposes
may be regarded as carried out for a legitimate interest’, it suggests that the GDPR allows email and SMS
marketing without consent. But that is not the case!
However, informed consent isn’t so easy when you don’t yet know exactly how you’re going to process it.
Or if what you do is either really technical or you use the data for 20 different things. What if the way you use
the data you collect gives no tangible benefit to anyone but it’s still essential to your business? Explaining what
you do and gaining specific and informed consent will, at times, be difficult for you and could be detrimental to
your relationship with your customers.
www.communicatorcorp.com 5
Share this guide
It’s for these scenarios that the GDPR has ‘legitimate interests’.
Looking again at article 6 of the GDPR:
Data shall be processed only when…
• […] processing is necessary for legitimate interests of the controller
or by a third party, balanced with the interests and fundamental
rights and freedoms of the individuals.
• Balanced with the privacy and expectations of the individual set by
the time and context of the data collection, there may be legitimate
interest for the controller to process the data without consent
where there is a relevant and appropriate relationship between the
individual and controller.
In the next pages of this guide we take a further look at each of the above points.
www.communicatorcorp.com 6
Share this guide
Information Explanation
Identity of controller Identity and contact details of the controller or controller’s representative and
the contact details of the data protection officer.
Purposes Purposes of the processing and any related legal basis for that processing.
Legitimate interests The legitimate interests pursued by the controller or by a third party.
3rd parties Any intended third party recipients of the data must be named or be in a
defined category of third party recipients of the personal data.
Overseas transfer Any intended data transfer to a third party country or international
organisation, the existence or absence of an adequacy decision, and the
appropriate safeguards.
Storage duration The timescales or criteria defining the period for which the data will be stored.
Data rights The existence of the right to request access to, rectification or erasure of the
data; to request restriction of processing; and the right to data portability.
Consent withdrawal The right to withdraw any given consent.
Complaints procedure The right to lodge a complaint with the supervisory authority (ICO, in the UK).
Data necessity The existence of any statutory or contractual necessity for the data.
Automated profiling The existence and significance of any automated profiling or decision-making.
Part oneDemonstrating ‘reasonable expectation’In order to be able to demonstrate that the individuals in question expect you to market to them, or expect
you to use their data in a particular way, you must clearly explain “the legitimate interests pursued by the
controller or by a third party”.
In other words, you have to say what you’re doing with the data before you collect it.
The full “information burden” which needs to be presented before collecting the data, is this:
Some of this will be made clear by the context of the data collection, some by means of the data capture
forms and some in an easily accessible privacy notice.
www.communicatorcorp.com 7
Share this guide
To make privacy notices effective you should make
use of “layered”privacy notices, such as this:
https://privacy.microsoft.com/en-gb/privacystatement
which has a simple navigation, expandable sections
which toggle between top-level and detailed
information and which has the information around
personal data use right at the top.
Because you need to demonstrate “reasonable
expectation” you need to make sure that you give
the individuals enough information up front, using the
privacy notice for those who want more detail. What
you can’t do is put something in the privacy notice
which would be unexpected and then try to argue
that the individuals should have read it all!
This is the fun one! What you have to demonstrate
is that what you’re doing is necessary and that
you’re adhering to the rest of the GDPR principles,
in particular, the principles of purpose limitation and
data minimisation.
In practice, you need to be able to show;
• That your business need is justified.
• A link between how you use the data and the
context for which it was provided.
• That you collect the minimum data necessary and
delete it once you’ve used it.
• That you have investigated the risks that
the processing could have on the rights and
freedoms of the individuals and that you’ve taken
necessary steps to mitigate or remove those risks.
Such as employing appropriate data protection
techniques like encryption, anonymisation and
pseudonymisation.
Part twoLegitimate interest balanced with individuals’ rights
www.communicatorcorp.com 8
Share this guide
Ticking a box, unticking a box, clicking an unsubscribe link, setting preferences in a profile page and the rest.
1. There must be “a relevant and appropriate
relationship between the individual and
controller”.
2. Legitimate interests can only be relied on when the
organisation’s interests override the individuals’
interests. It is for the organisation to demonstrate
that their interests override the fundamental rights
and freedoms of the individual, and that they’re
acting in line with the rest of the GDPR.
3. When relying on legitimate interests an individual
is still entitled to object to the processing. That
right to object must be “explicitly brought to the
attention of the individual and shall be presented
clearly and separately from any other information”.
4. Legitimate interests isn’t a lawful justification for
processing special or sensitive categories of data
or for processing carried out by public authorities.
So how do you choose which route to take? Or can
you use both? Here’s an interesting question: can
you ask for consent and THEN argue that you have
a legitimate interest if that consent isn’t provided?
The ICO and the Data Protection Authorities in other
countries will be providing more detailed guidance
on this in coming months, but for now here’s our
summary to help you choose the right approach for
you…
Part threeGiving individuals the right to object
Legitimate interest’s limitations
Legitimate interest vs consent
Requirement Consent Legitimate Interest Comparison
Information to be
provided
It should be transparent
what data is collected and
used, for what specific
purposes, the existence
and consequences of
profiling, who is doing
this processing, for what
time periods and who
will receive the data. The
Individuals should be
made aware of risks, rules
and safeguards.
As per consent, with
additional information:
Explaining the legitimate
interests pursued by the
organisation. The right
to object to processing
‘presented clearly and
separately from any other
information’.
The information burden
when relying on
legitimate interests is
higher because of the
additional requirement
to explain more about
how the data is used
and presenting “clearly
and separately”the right
(and method) to object to
that processing.It could
be a challenging task to
balance the wording of
this correctly.
www.communicatorcorp.com 9
Share this guide
Requirement Consent Legitimate Interest Comparison
Information
displayed at the
point of collection
Information necessary to set the correct expectations around the data collection
storage, usage, sharing and destruction. Context and established convention can
be used to determine what is already expected.Attention must be drawn to any
processing which wouldn’t be automatically expected.
Additional
information
provided by a
link to a Privacy
Notice
Clarification and detail concerning what is already understood and expected.
Privacy notices can’t be used to set new expectations concerning data processing.
Unexpected data use The less likely something is to be expected, the less likely that
a linked privacy notice can be relied upon to inform individuals.
Choice to be
made available
For consent to be valid
it can’t be a condition
of a service; it must be
genuine choice which
the individual can refuse
or withdraw without
detriment.
The right to object to
processing “presented
clearly and separately
from any other
information”.
The wording is different,
but the concept is the
same: there must be a
genuine choice which is
easy to exercise.
Opt-in or
Opt-out
Opt-in (Consent should
be given by a clear
affirmative action).
Opt-out (The right to
object to processing must
be presented clearly)
Proof
requirements
Consent must be
provable, so consent
must be on an opt-in
basis. Specifically, the
organisation must be
able to demonstrate that
consent for that specific
processing still exists, is
informed and freely-given.
The organisation must
be able to explain how
their legitimate interests
override the rights of the
individuals.
Getting someone to
perform a “sportive
affirmative action”, such
as entering an email
address or ticking a box
is really easy and should
be the way that most
organisations operate IF
the use of data is simple
to explain.
If the use of data is
complex, then the
legitimate interest
route may be easier for
organisations to justify.
www.communicatorcorp.com 10
Share this guide
Requirement Consent Legitimate Interest Comparison
Processing for
another purpose
When the processing has
distinct purposes, consent
should be separately
granted for each purpose.
Where there are closely
linked multiple purposes,
consent may be allowed
for the additional
processing without
separate consent.
Determining a compatible
“other purpose” for
processing without
additional or separate
consent, should take into
account; any link between
the purposes, the context
of the data collection,
the nature of the data,
possible consequences
and the existence of
safeguards.
The multiple purposes
expectations should be
set at the point of data
collection and explained
fully in a layered Privacy
Notice.
Legitimate interests may
allow for more complex
uses of data when a
separate opt-in (and
required explanation
to make the consent
“informed”) for each
purpose would be difficult.
Proof
requirements
Consent must be
provable, so it must
be on an opt-in basis.
Specifically, the
organisation must be
able to demonstrate that
consent for that specific
processing still exists, is
informed and freely-given.
Where data is processed
for multiple purposes
you should be able to
demonstrate that consent
exists for each of those
purposes.
The organisation must
be able to explain how
their legitimate interests
override the rights of the
individuals.
Getting someone to
perform a “sportive
affirmative action”,such as
entering an email address
or ticking a box, is easy
and should be the way
that most organisations
operate if the use of data
is simple to explain.
If the use of data is
complex, then the
legitimate interest
route may be easier for
organisations to justify.
Where there are multiple
purposes the proof of
consent, or the proof that
the purposes are suitably
linked can become
difficult.
www.communicatorcorp.com 11
Share this guide
Requirement Consent Legitimate Interest Comparison
Withdrawing
consent
Websites and SMS
communications are to
have unsubscribe links
and links to change
consent for data
processing
It must be as easy to
withdraw consent as it
was to give it.
The user must have the
ability to unsubscribe
from electronic
communications as
well as the ability to
withdraw consent “without
detriment”–a service
can’t be conditional
on marketing or data
processing consent.
Controllers must give
individuals (free of charge)
an electronic means of
exercising their rights to
access,in order to rectify
or delete their data. Also
to exercise their right
to object to processing
and to be able to verify
the lawfulness of the
processing.
The wording is different,
but the concept is the
same: there must be a
genuine choice which is
easy to exercise.
www.communicatorcorp.com 12
Share this guide
To summarise, let us repeat Article 6 of the GDPR:
Data shall be processed only when:
• The individual has given consent for
the processing of their personal data for
specific purposes;
• Or, processing is necessary for the
performance of a contract with the
individual;
• Or, processing is necessary for
legitimate interests of the controller
or by a third party, balanced with the
interests and fundamental rights and
freedoms of the individuals.
Underpinning both the consent approach and the
legitimate interests approach there are the same
fundamental concepts:
1. You must tell individuals who you are,
what you’re doing, how and why.
2. You must give individuals control
over their data by giving them genuine
choices.
3. You must be in a position to demonstrate
that what you’re doing is in line with 1 &2
You have a new mechanism for data processing:
legitimate interests. But this is far from a carte
blanche because your obligations are similar with
both approaches.
For you to decide which route to take you need
to, firstly, review your own data practices and
understand what data you collect, store, share and
use. You also need to understand how you remove
data when it’s no longer in use.
You need to look at the legitimacy of what you do
and see whether you apply the concepts of data
minimisation, data security and you need to be
able to justify what you do if you were asked or
challenged.
You need to understand the expectations of your
customers and the other “data subjects”who provide
you with their personal information.
You need to look at the choices you give and the
control you allow data subjects to exercise over the
data you hold.
SummaryInformation, Choice and Proof
What it means for your data processing
www.communicatorcorp.com 13
Share this guide
Then… Once you have this information, you need to look for differences between what you do, your obligations and
the expectations of the data subjects. Those differences will tell you what you need to do now and in the near
future.
Finally, whether you choose to obtain consent or justify legitimate interests depends on which mechanism is
most effective for you to set the correct expectations, to provide the required information, to allow individuals to
exercise control over their data and choice over marketing and your use of their data; and which mechanism is
most effective for you to demonstrate that you have done all of the above.
www.communicatorcorp.com 14
Share this guide
What’s coming and what it means for you
2017
Guide 1The General Data Protection Reform
Can I have your number?Data collection & consent
2017
Guide 2The General Data Protection Reform
Ticking all the boxes?Processing & storing data
2017
Guide 3The General Data Protection Reform
Getting your ducks in a rowWhat campaigns can you send?
2017
Guide 4The General Data Protection Reform
Say what?!
2017
Guide 5
Translating the changes to your customers
2017
Is it me you’re looking for?
Guide 6The General Data Protection Reform
The right to be forgotten
Privacy notices
2017
Guide 7The General Data Protection Reform
Legitimate Interests
2017
Guide 8The General Data Protection Reform
Third Party Data in Email Marketing
2017
Guide 9The General Data Protection Reform
Our Privacy & Compliance series
Any questions?For more help and advice like this and to access our library of free resources,
visit the Communicator blog and resources sections at www.communicatorcorp.com
@CommCorp
+44 (0) 345 300 2337
Experts in Email Performance