People have many questions regarding Legitimate Interest in connection with the General Data Protection Regulation. Answers to these can be found in the recently published Guidance on the use of Legitimate Interests under the GDPR.
Developed by the Data Protection Network and welcomed by the Information Commissioner’s Office, this gives guidance as to which circumstances Legitimate Interest may apply to.
I advise everyone to read this Guidance. In partcular, I'd like to highlight some key elements:
1. Legitimate Interest is acceptable for processing personal data
The Guidance reiterates that Legitimate Interest is one of the six lawful grounds for processing personal data. All six have an equal legal basis.
It also makes clear that "A direct relationship with the individual is not essential for relying on Legitimate Interests although the requirement to inform individuals that you have obtained their data from a Third Party would have to be taken into consideration."
2. Legitimate Interest can be used for direct mail from third parties
The Guidance provides helpful examples to illustrate where a Data Controller may consider the use of Legitimate Interest for processing personal data. One of these directly related to catalogue marketing:
Example 21 – POSTAL MARKETING FROM THIRD PARTIES
A catalogue company adds details to its online order forms which indicate that it shares data with other cataloguers. The purchaser can opt-out of this sharing and the cataloguers are listed in the Privacy Statement.
Although this guidance states end-user cataloguers need to be listed, this is currently being questioned in the guidance around Consent. Our advice for now is to be explicit about the categories the cataloguers operate in (e.g. Food & Wine, Clothing etc.). In terms of the Abacus Alliance, these would be: clothing, collectables, food & wine, gardening, gadgets & entertainment, health & beauty, household goods, and home interiors.
3. A layered approach to providing consumers with information is acceptable
When informing individuals about the processing of their data, this has to be “…..explicit, clear and separate from other information.” The guidance recognises this could result in notices becoming too detailed and difficult to understand.
To avoid this in an online environment, it suggests you can use a ‘layered’ approach. Here, you can provide links for individuals to click on to access more detailed information should they wish to. Page 16 of the Guidance provides an example of how this can work.
The publication of this Guidance is a big step forward. It begins to provide clarity around this issue in the same way the Consent guidance does. Although this may not be the final version, it is very helpful in preparing for GDPR as it answers many of the questions that are being raised.
Want to find out more about the GDPR? This is an area we’ll be covering at our October Insights Conference. To book your place, please click here.