Processing personal data—legitimate interests

The following Risk & Compliance practice note provides comprehensive and up to date legal information covering:

  • Processing personal data—legitimate interests
  • Why is this important?
  • The lawful grounds for processing personal data under UK GDPR
  • Public authorities
  • Legitimate interests and special category personal data
  • Definition of legitimate interests
  • Processing must be necessary
  • Conducting a legitimate interest assessment
  • When can a legitimate interest be claimed?
  • Using legitimate interests to disclose data to third parties
    • More...

Processing personal data—legitimate interests

This Practice Note explains the scope for relying on legitimate interest as a lawful ground for processing personal data under the UK General Data Protection Regulation (UK GDPR). It is based on the requirements of the UK GDPR and detailed guidance from the Information Commissioner’s Office (ICO) on legitimate interests under the UK GDPR. For guidance on conducting a legitimate interest assessment (LIA), see Practice Note: GDPR compliance—conducting a legitimate interest assessment. See also Precedent: Legitimate interest assessment—data processing and Legitimate interest assessment flowchart.

Why is this important?

An organisation cannot simply process personal data because it wishes to do so. It can only process personal data if it satisfies one of the conditions set out in UK GDPR, Art 6(1). These are commonly known as the ‘lawful grounds’, ‘legitimate grounds’ or ‘conditions’ for processing.

If your organisation processes personal data in the absence of a lawful ground, it will breach the UK GDPR. Failing to comply with the UK GDPR can expose an organisation to serious reputational damage, claims by aggrieved data subjects and fines up to £17.5m or up to 4% of the total worldwide annual turnover.

The lawful grounds for processing personal data under UK GDPR

Under UK GDPR, there are six potentially lawful grounds for processing personal data.

  1. the data subject has given consent to the processing of their personal data

Navigate the law quickly and efficiently with Lexis®PSL
Imagine being able to quickly find up-to-date guidance on points of law and then easily pull up sources to support your advice. With LexisPSL, you can.
TAKE A FREE TRIAL Take a free trial Take a free trial
Related documents:

Popular documents

Breach of statutory duty

Breach of statutory duty

Breach of statutory dutyThis Practice Note considers claims for damages for breach of statutory duty. For guidance on claims for damages for a negligent breach of duty of care outside a statutory duty, see Practice Notes:•Negligence—when does a duty of care arise?•Negligence—when is the duty of care

Methods of statutory interpretation used to resolve ambiguities in legislation

Methods of statutory interpretation used to resolve ambiguities in legislation

Methods of statutory interpretation used to resolve ambiguities in legislationIP COMPLETION DAY: 11pm (GMT) on 31 December 2020 marks the end of the Brexit transition/implementation period entered into following the UK’s withdrawal from the EU. At this point in time (referred to in UK law as ‘IP

Discharge by frustration

Discharge by frustration

Discharge by frustrationCoronavirus (COVID-19): In addition to the below content on force majeure generally, see also:•Coronavirus (COVID-19) toolkit—Contracts•Coronavirus (COVID-19) and contractual obligations—checklisttogether with the Q&A (in the related content pod on the right hand side) for

Qualified one-way costs shifting (QOCS)

Qualified one-way costs shifting (QOCS)

Qualified one-way costs shifting (QOCS)What is QOCS?Qualified one-way costs shifting (QOCS) was introduced on 1 April 2013 as part of the Jackson costs reforms following the removal of a claimant’s right to recover additional liabilities from the defendant, ie success fees and after the event (ATE)