A Simple Guide to ‘Legitimate Interests’ and Marketing

Following on from my previous blog post, “What Does GDPR Mean for Marketing?” it’s important that marketers know how to use legitimate interests for marketing purposes.Legitimate Interests - 25th May 2018

After GDPR has come in to effect on the 25th May 2018, marketers will need to adapt their practises to comply with the new privacy rights for individuals and understand what is considered as lawful grounds for processing personal information.

I’ll be focusing on part of GDPR, ‘Legitimate interests of the controller of third party’ to hopefully give marketers a better understanding of what it means and how to use it in their strategies.

Lawful Grounds for Processing Data

There are 6 ways you can process data – Article 6.1 of GDPR

1. Consent by the consumer

2. Processing is necessary for a contract with the consumer or to aid entering a contract

3. For a legal obligation

4. Necessary to protect the interests of the consumer, or another person

5. To fulfil a task that is in the public’s interest

6. Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, where the data subject is a child

In a nut shell, to process data you either need consent from the consumer to use their personal information or use the ground of ‘legitimate interests’. It might be a bit confusing to understand what would class as a legitimate interest, but it should start to make sense shortly.

What would be a Legitimate Interest?

In this context, legitimate interests mean you process data for a justified reason. Note the DPN points out, legitimate interests ‘must be real and not too vague’.

Whether your grounds for ‘legitimate interests’ are for marketing purposes, there are still some requirements you need to abide by.

You need to be able to;

– Justify your plans to use consumer’s personal information is necessary

– Make it clear to consumers how you plan to use their data

– Make it simple for consumers to object to their data being processed

For example, grounds for legitimate interests will probably be justified for risk assessments, checking the age of minors or for consumer rights.

Are You Sure Legitimate Interests Applies?

It’d be easy to lose sight of what a reasonable legitimate interest is, so perhaps ask your self a few questions to justify your actions …

– Is the processing absolutely necessary? Would you be able to fulfil your actions without the data?

– Do your interests ignore the interests of your consumers? The answer should be no.

– Are you just taking the easy option? Could you fulfil your intended action by asking for consent?

Of course, consent isn’t always possible, but you should still try to ask for consent where ever possible.

Grounds for Legitimate Interests

Legitimate Interests

Marketers may be in their right to process data for the reasonable purposes like …

Direct Marketing

“the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”

Here, consent may not be viable or preferred, but you will need to show that there is a balance of interests. You need to demonstrate your acting for the interests of not only your business but for your consumers too. By processing their data, will it help them too? Or just benefit business?

As I’m sure you’re aware, everyone has the right to decline direct marketing, e.g. by unsubscribing or contacting the company directly.

For the Purposes of a Relationship

It may be reasonable and appropriate to process client’s data. You need to get to know them to understand their needs.

It Was Expected

It might be reasonable to assume, as the controller, that individuals have an expectation their data will be processed.

You Have to Know

Legitimate Interests - Data ProcessingArticle 21 of the GDPR – consumers still have the right to object to their data being processed, even for legitimate interests! But controllers will be given the opportunity to defend themselves.

Remember, GDPR has put the consumer in the driver’s seat. Ultimately, they’re in charge and most of the time they’re responsible for how their personal information is handled.

The Bottom Line

Apart from obvious grounds for legitimate interest, like risk assessments or legal obligations, I think it’s quite difficult for marketers to have specific guidelines. It’s quite subjective and perhaps what one marketer sees as legitimate may not be what another one does …

Hopefully the grey areas will be a bit more specific in time, but for now all we can do is prepare and follow the general guide lines given to us.

If you’re looking for a bit more clarification, head over to the Data Protection Network for extra guidance.

About the author: 

Marie Harwood is a Digital Marketing Assistant at Different Gravy Digital, Hale, Cheshire.

Different Gravy Digital are a full service Digital Marketing Agency operating in the Hospitality & Leisure, Financial Services, Legal & Property sectors.  Products and services range from; 3D & 360° Tours, Website Design & Build, Social Media, Video Production, Search Engine Optimisation (SEO), Content Creation, Email Marketing, Online Feedback / Review Systems and Paid Advertising (Google, Bing and Social Media).

Contact Details:


0161 706 0004

120a Ashley Road, Hale, Altrincham, Cheshire, WA14 2UN