Legitimate Interests

2017

Guide 8The General Data Protection Reform

www.communicatorcorp.com 2

Share this guide

Legitimate Interest introduced in the GDPR 4PECR

Legitimate interests for data processing

Demonstrating ‘reasonable expectation’ 7

Legitimate Interest balanced with individual’s rights 8

Giving individuals the right to object 9Legitimate interest’s limitations

Legitimate interest vs consent

Summary: Information, Choice and Proof 13What it means for your data processing

In this guide

www.communicatorcorp.com 3

Share this guide

The GDPR sets out the requirements and conditions for collecting, storing and using personal data in a fair

and lawful way, listing six grounds for lawfulness of processing;

• Consent

• Legitimate interest pursued by a controller

• Necessity for fulfilment of contract

• Legal obligation

• Necessary for vital interests of the data subject

• Necessity for performance of a task in the public interest

On Legitimate Interests, Article 6 of the GDPR text gives us this information:

Legitimate Interest introduced in the GDPR

• The individual has given consent for the

processing of their personal data for

specific purposes;

• Or, processing is necessary for the

performance of a contract with the individual;

• Or, processing is necessary for legitimate

interests of the controller or by a third

party, balanced with the interests and

fundamental rights and freedoms of

the individuals

• Balanced with the privacy and expectations

of the individual set by the time and

context of the data collection, there may

be legitimate interest for the controller

to process the data without consent

where there is a relevant and appropriate

relationship between the individual

and controller.

• The processing of personal data for direct

marketing purposes may be regarded

as carried out for a legitimate interest,

subject to the balance [as defined above]

and the right to object to marketing and

associated profiling.

• This right [to object to marketing and

profiling] shall be explicitly brought to the

attention of the individual and shall be

presented clearly and separately from any

other information.

Data shall be processed only when…

To put this into context, recitals 38, 56 and 57 explain further…

www.communicatorcorp.com 4

Share this guide

PECR

Legitimate interests for data processing

With email and SMS marketing PECR defines the consent standards required for lawful marketing using

electronic communications. PECR and GDPR are not interchangeable or a substitute for each other, but

work in collaboration. With PECR setting high permission standards, email and SMS marketers must obtain

explicit consent through a ‘positive affirmative action’ with a simple unsubscribe process. The GDPR doesn’t

change this.

The GDPR increases consent standards, requiring firms to provide detailed information about their intended

processing, in order for consent to be “informed”. Informed consent is simple in some scenarios, such as

collecting an email address to add an individual to a mailing list. A simple lightbox signup form, like the below,

does it perfectly…

Occasion Outfitters Boutique example

To any Email and SMS marketers who read ‘processing of personal data for direct marketing purposes

may be regarded as carried out for a legitimate interest’, it suggests that the GDPR allows email and SMS

marketing without consent. But that is not the case!

However, informed consent isn’t so easy when you don’t yet know exactly how you’re going to process it.

Or if what you do is either really technical or you use the data for 20 different things. What if the way you use

the data you collect gives no tangible benefit to anyone but it’s still essential to your business? Explaining what

you do and gaining specific and informed consent will, at times, be difficult for you and could be detrimental to

your relationship with your customers.

www.communicatorcorp.com 5

Share this guide

It’s for these scenarios that the GDPR has ‘legitimate interests’.

Looking again at article 6 of the GDPR:

Data shall be processed only when…

• […] processing is necessary for legitimate interests of the controller

or by a third party, balanced with the interests and fundamental

rights and freedoms of the individuals.

• Balanced with the privacy and expectations of the individual set by

the time and context of the data collection, there may be legitimate

interest for the controller to process the data without consent

where there is a relevant and appropriate relationship between the

individual and controller.

In the next pages of this guide we take a further look at each of the above points.

www.communicatorcorp.com 6

Share this guide

Information Explanation

Identity of controller Identity and contact details of the controller or controller’s representative and

the contact details of the data protection officer.

Purposes Purposes of the processing and any related legal basis for that processing.

Legitimate interests The legitimate interests pursued by the controller or by a third party.

3rd parties Any intended third party recipients of the data must be named or be in a

defined category of third party recipients of the personal data.

Overseas transfer Any intended data transfer to a third party country or international

organisation, the existence or absence of an adequacy decision, and the

appropriate safeguards.

Storage duration The timescales or criteria defining the period for which the data will be stored.

Data rights The existence of the right to request access to, rectification or erasure of the

data; to request restriction of processing; and the right to data portability.

Consent withdrawal The right to withdraw any given consent.

Complaints procedure The right to lodge a complaint with the supervisory authority (ICO, in the UK).

Data necessity The existence of any statutory or contractual necessity for the data.

Automated profiling The existence and significance of any automated profiling or decision-making.

Part oneDemonstrating ‘reasonable expectation’In order to be able to demonstrate that the individuals in question expect you to market to them, or expect

you to use their data in a particular way, you must clearly explain “the legitimate interests pursued by the

controller or by a third party”.

In other words, you have to say what you’re doing with the data before you collect it.

The full “information burden” which needs to be presented before collecting the data, is this:

Some of this will be made clear by the context of the data collection, some by means of the data capture

forms and some in an easily accessible privacy notice.

www.communicatorcorp.com 7

Share this guide

To make privacy notices effective you should make

use of “layered”privacy notices, such as this:

https://privacy.microsoft.com/en-gb/privacystatement

which has a simple navigation, expandable sections

which toggle between top-level and detailed

information and which has the information around

personal data use right at the top.

Because you need to demonstrate “reasonable

expectation” you need to make sure that you give

the individuals enough information up front, using the

privacy notice for those who want more detail. What

you can’t do is put something in the privacy notice

which would be unexpected and then try to argue

that the individuals should have read it all!

This is the fun one! What you have to demonstrate

is that what you’re doing is necessary and that

you’re adhering to the rest of the GDPR principles,

in particular, the principles of purpose limitation and

data minimisation.

In practice, you need to be able to show;

• That your business need is justified.

• A link between how you use the data and the

context for which it was provided.

• That you collect the minimum data necessary and

delete it once you’ve used it.

• That you have investigated the risks that

the processing could have on the rights and

freedoms of the individuals and that you’ve taken

necessary steps to mitigate or remove those risks.

Such as employing appropriate data protection

techniques like encryption, anonymisation and

pseudonymisation.

Part twoLegitimate interest balanced with individuals’ rights

www.communicatorcorp.com 8

Share this guide

Ticking a box, unticking a box, clicking an unsubscribe link, setting preferences in a profile page and the rest.

1. There must be “a relevant and appropriate

relationship between the individual and

controller”.

2. Legitimate interests can only be relied on when the

organisation’s interests override the individuals’

interests. It is for the organisation to demonstrate

that their interests override the fundamental rights

and freedoms of the individual, and that they’re

acting in line with the rest of the GDPR.

3. When relying on legitimate interests an individual

is still entitled to object to the processing. That

right to object must be “explicitly brought to the

attention of the individual and shall be presented

clearly and separately from any other information”.

4. Legitimate interests isn’t a lawful justification for

processing special or sensitive categories of data

or for processing carried out by public authorities.

So how do you choose which route to take? Or can

you use both? Here’s an interesting question: can

you ask for consent and THEN argue that you have

a legitimate interest if that consent isn’t provided?

The ICO and the Data Protection Authorities in other

countries will be providing more detailed guidance

on this in coming months, but for now here’s our

summary to help you choose the right approach for

you…

Part threeGiving individuals the right to object

Legitimate interest’s limitations

Legitimate interest vs consent

Requirement Consent Legitimate Interest Comparison

Information to be

provided

It should be transparent

what data is collected and

used, for what specific

purposes, the existence

and consequences of

profiling, who is doing

this processing, for what

time periods and who

will receive the data. The

Individuals should be

made aware of risks, rules

and safeguards.

As per consent, with

additional information:

Explaining the legitimate

interests pursued by the

organisation. The right

to object to processing

‘presented clearly and

separately from any other

information’.

The information burden

when relying on

legitimate interests is

higher because of the

additional requirement

to explain more about

how the data is used

and presenting “clearly

and separately”the right

(and method) to object to

that processing.It could

be a challenging task to

balance the wording of

this correctly.

www.communicatorcorp.com 9

Share this guide

Requirement Consent Legitimate Interest Comparison

Information

displayed at the

point of collection

Information necessary to set the correct expectations around the data collection

storage, usage, sharing and destruction. Context and established convention can

be used to determine what is already expected.Attention must be drawn to any

processing which wouldn’t be automatically expected.

Additional

information

provided by a

link to a Privacy

Notice

Clarification and detail concerning what is already understood and expected.

Privacy notices can’t be used to set new expectations concerning data processing.

Unexpected data use The less likely something is to be expected, the less likely that

a linked privacy notice can be relied upon to inform individuals.

Choice to be

made available

For consent to be valid

it can’t be a condition

of a service; it must be

genuine choice which

the individual can refuse

or withdraw without

detriment.

The right to object to

processing “presented

clearly and separately

from any other

information”.

The wording is different,

but the concept is the

same: there must be a

genuine choice which is

easy to exercise.

Opt-in or

Opt-out

Opt-in (Consent should

be given by a clear

affirmative action).

Opt-out (The right to

object to processing must

be presented clearly)

Proof

requirements

Consent must be

provable, so consent

must be on an opt-in

basis. Specifically, the

organisation must be

able to demonstrate that

consent for that specific

processing still exists, is

informed and freely-given.

The organisation must

be able to explain how

their legitimate interests

override the rights of the

individuals.

Getting someone to

perform a “sportive

affirmative action”, such

as entering an email

address or ticking a box

is really easy and should

be the way that most

organisations operate IF

the use of data is simple

to explain.

If the use of data is

complex, then the

legitimate interest

route may be easier for

organisations to justify.

www.communicatorcorp.com 10

Share this guide

Requirement Consent Legitimate Interest Comparison

Processing for

another purpose

When the processing has

distinct purposes, consent

should be separately

granted for each purpose.

Where there are closely

linked multiple purposes,

consent may be allowed

for the additional

processing without

separate consent.

Determining a compatible

“other purpose” for

processing without

additional or separate

consent, should take into

account; any link between

the purposes, the context

of the data collection,

the nature of the data,

possible consequences

and the existence of

safeguards.

The multiple purposes

expectations should be

set at the point of data

collection and explained

fully in a layered Privacy

Notice.

Legitimate interests may

allow for more complex

uses of data when a

separate opt-in (and

required explanation

to make the consent

“informed”) for each

purpose would be difficult.

Proof

requirements

Consent must be

provable, so it must

be on an opt-in basis.

Specifically, the

organisation must be

able to demonstrate that

consent for that specific

processing still exists, is

informed and freely-given.

Where data is processed

for multiple purposes

you should be able to

demonstrate that consent

exists for each of those

purposes.

The organisation must

be able to explain how

their legitimate interests

override the rights of the

individuals.

Getting someone to

perform a “sportive

affirmative action”,such as

entering an email address

or ticking a box, is easy

and should be the way

that most organisations

operate if the use of data

is simple to explain.

If the use of data is

complex, then the

legitimate interest

route may be easier for

organisations to justify.

Where there are multiple

purposes the proof of

consent, or the proof that

the purposes are suitably

linked can become

difficult.

www.communicatorcorp.com 11

Share this guide

Requirement Consent Legitimate Interest Comparison

Withdrawing

consent

Websites and SMS

communications are to

have unsubscribe links

and links to change

consent for data

processing

It must be as easy to

withdraw consent as it

was to give it.

The user must have the

ability to unsubscribe

from electronic

communications as

well as the ability to

withdraw consent “without

detriment”–a service

can’t be conditional

on marketing or data

processing consent.

Controllers must give

individuals (free of charge)

an electronic means of

exercising their rights to

access,in order to rectify

or delete their data. Also

to exercise their right

to object to processing

and to be able to verify

the lawfulness of the

processing.

The wording is different,

but the concept is the

same: there must be a

genuine choice which is

easy to exercise.

www.communicatorcorp.com 12

Share this guide

To summarise, let us repeat Article 6 of the GDPR:

Data shall be processed only when:

• The individual has given consent for

the processing of their personal data for

specific purposes;

• Or, processing is necessary for the

performance of a contract with the

individual;

• Or, processing is necessary for

legitimate interests of the controller

or by a third party, balanced with the

interests and fundamental rights and

freedoms of the individuals.

Underpinning both the consent approach and the

legitimate interests approach there are the same

fundamental concepts:

1. You must tell individuals who you are,

what you’re doing, how and why.

2. You must give individuals control

over their data by giving them genuine

choices.

3. You must be in a position to demonstrate

that what you’re doing is in line with 1 &2

You have a new mechanism for data processing:

legitimate interests. But this is far from a carte

blanche because your obligations are similar with

both approaches.

For you to decide which route to take you need

to, firstly, review your own data practices and

understand what data you collect, store, share and

use. You also need to understand how you remove

data when it’s no longer in use.

You need to look at the legitimacy of what you do

and see whether you apply the concepts of data

minimisation, data security and you need to be

able to justify what you do if you were asked or

challenged.

You need to understand the expectations of your

customers and the other “data subjects”who provide

you with their personal information.

You need to look at the choices you give and the

control you allow data subjects to exercise over the

data you hold.

SummaryInformation, Choice and Proof

What it means for your data processing

www.communicatorcorp.com 13

Share this guide

Then… Once you have this information, you need to look for differences between what you do, your obligations and

the expectations of the data subjects. Those differences will tell you what you need to do now and in the near

future.

Finally, whether you choose to obtain consent or justify legitimate interests depends on which mechanism is

most effective for you to set the correct expectations, to provide the required information, to allow individuals to

exercise control over their data and choice over marketing and your use of their data; and which mechanism is

most effective for you to demonstrate that you have done all of the above.

www.communicatorcorp.com 14

Share this guide

What’s coming and what it means for you

2017

Guide 1The General Data Protection Reform

Can I have your number?Data collection & consent

2017

Guide 2The General Data Protection Reform

Ticking all the boxes?Processing & storing data

2017

Guide 3The General Data Protection Reform

Getting your ducks in a rowWhat campaigns can you send?

2017

Guide 4The General Data Protection Reform

Say what?!

2017

Guide 5

Translating the changes to your customers

2017

Is it me you’re looking for?

Guide 6The General Data Protection Reform

The right to be forgotten

Privacy notices

2017

Guide 7The General Data Protection Reform

Legitimate Interests

2017

Guide 8The General Data Protection Reform

Third Party Data in Email Marketing

2017

Guide 9The General Data Protection Reform

Our Privacy & Compliance series

Any questions?For more help and advice like this and to access our library of free resources,

visit the Communicator blog and resources sections at www.communicatorcorp.com

@CommCorp

+44 (0) 345 300 2337

info@communicatorcorp.com

Experts in Email Performance