Processing personal data—legitimate interests

The following Risk & Compliance practice note provides comprehensive and up to date legal information covering:

  • Processing personal data—legitimate interests
  • Why is this important?
  • The lawful grounds for processing personal data under UK GDPR
  • Public authorities
  • Legitimate interests and special category personal data
  • Definition of legitimate interests
  • Processing must be necessary
  • Conducting a legitimate interest assessment
  • When can a legitimate interest be claimed?
  • Using legitimate interests to disclose data to third parties
  • More...

Processing personal data—legitimate interests

This Practice Note explains the scope for relying on legitimate interest as a lawful ground for processing personal data under the UK General Data Protection Regulation (UK GDPR). It is based on the requirements of the UK GDPR and detailed guidance from the Information Commissioner’s Office (ICO) on legitimate interests under the UK GDPR. For guidance on conducting a legitimate interest assessment (LIA), see Practice Note: GDPR compliance—conducting a legitimate interest assessment. See also Precedent: Legitimate interest assessment—data processing and Legitimate interest assessment flowchart.

Why is this important?

An organisation cannot simply process personal data because it wishes to do so. It can only process personal data if it satisfies one of the conditions set out in UK GDPR, Art 6(1). These are commonly known as the ‘lawful grounds’, ‘legitimate grounds’ or ‘conditions’ for processing.

If your organisation processes personal data in the absence of a lawful ground, it will breach the UK GDPR. Failing to comply with the UK GDPR can expose an organisation to serious reputational damage, claims by aggrieved data subjects and fines up to £17.5m or up to 4% of the total worldwide annual turnover.

The lawful grounds for processing personal data under UK GDPR

Under UK GDPR, there are six potentially lawful grounds for processing personal data.

  1. the data subject has given consent to the processing of their personal data

Popular documents