What else do we need to consider?
In detail
What do we need to tell people?
You must tell individuals:
- what your purpose for processing personal data is;
- that you are relying on legitimate interests as your lawful basis; and
- summarise what the relevant legitimate interests are.
You need to include this in your privacy information. You also need to ensure that you actively communicate this information to the individuals.
Further reading – ICO guidance
What if our purposes change?
If your purposes change over time or you have a new purpose which you did not originally anticipate, you may be able to continue processing for that new purpose on the basis of legitimate interests as long as your new purpose is compatible with your original purpose.
Information on how to assess compatibility can be found in our lawful basis for processing guidance.
A compatibility assessment is likely to look at similar factors to an LIA because it also needs to consider your purpose, reasonable expectations, impact on individuals and possible safeguards. We would therefore recommend that you always conduct a fresh LIA as a matter of good practice as this helps you demonstrate both compatibility and also that legitimate interest applies to the new processing on its own merits.
Remember that even if the processing for a new purpose is lawful on the basis of legitimate interests, you still need to consider whether it is fair and transparent, ensure it complies with the purpose limitation principle (or satisfies an exemption from that principle), and give individuals information about the new purpose.
What rights will individuals have?
Most of the rights afforded to individuals are available if you are relying on legitimate interests as your lawful basis.
However, if you rely on legitimate interests then the right to data portability does not apply to any personal data being processed on that basis. This means that you do not need to comply with portability requests from individuals. Remember that you cannot choose legitimate interests in order to frustrate portability requests if the basis of necessary for performance of a contract applies, as this would be an unwarranted impact on individuals’ rights.
You should remember that individuals do have the right to object to processing on the basis of legitimate interests. However this is not an absolute right, and you may be able to show that the processing should continue (unless you are processing for direct marketing purposes).
In order to continue processing despite an objection you must be able to demonstrate compelling legitimate grounds. Demonstrating compelling legitimate grounds is more than simply repeating the balancing test, as you need a stronger justification to override a specific objection and you need to consider the particular grounds that the individual has raised.
If you are relying on legitimate interests for direct marketing purposes, you need to stop the processing if the individual objects. This includes profiling to the extent that it is for the purposes of direct marketing. The right to object to processing for direct marketing purposes is absolute and the individual can exercise this right at any time. No compelling legitimate interests overrides this right to stop direct marketing.
Further reading – ICO guidance
Latest updates
26 October 2022 - We’ve made a small change to the wording of our good practice recommendation to conduct a legitimate interests assessment (LIA) if you want to use data for a new purpose. This can be found under the ‘What if our purposes change?’ section.
Although the recommendation hasn’t changed, we’ve updated it to align with a recent update to our guidance on lawful basis which says you need to identify your lawful basis for any new compatible processing, and to emphasise that a single LIA can help you do both things.