What Are the Legitimate Interests in the GDPR?

The General Data Protection Regulation (GDPR) was published on May 25, 2018. The Regulation represents a huge step forward in data protection for companies around the world. It imposes strong obligations on data controllers (businesses that store personal data) and data processors (businesses that handle personal data on behalf of data controllers). In this article, we will examine the legitimate interests of data processors under GDPR. Specifically, we will focus on: (1) justifying the processing of personal data; and (2) limiting the processing of personal data to what is necessary.

Personal Data

Let’s start with an easy one. What is personal data? According to GDPR, personal data are any pieces of information that can be used to identify an individual. This can include:

  • first name
  • last name
  • phone number
  • email address
  • IP Address
  • gender
  • wedding anniversary
  • personal documents
  • social media handles
  • demographic data
  • medical data
  • psychological data
  • vehicle data
  • financial data
  • genetic data
  • cloud data

Personal data also includes any information that is associated with an individual, but which isn’t directly related to that person. For example, a business that holds personal data of customers may also hold data of investors or suppliers, which isn’t directly associated with a single customer. The business then has to determine what is the minimal information required to fulfill the identified purpose of the processing.

Purpose Of The Processing

The other half of the equation is the purpose of the processing. This is what the controller (business that collects the personal data) wants to achieve through the processing of the data. The purpose should be both legitimate and essential to fulfill. For example, if processing is necessary for a business to generate meaningful reports for internal use, the purpose would be legitimate. But, if the company wants to sell personal data to a third party, this will be considered as an unlawful purpose and the processing will be considered as fraudulent. Legitimate interests should not be confused with ‘motivations’ or ‘motive,’ which are considered to be lesser interests under GDPR.

Essentiality is a bit trickier to define. GDPR suggests that in order to determine whether the processing is necessary, the company should examine:

  • whether the data can be obtained from a source available to the business;
  • the extent to which the data can be obtained without causing disproportionate burden to the individual affected;
  • whether the processing serves a legitimate purpose;
  • whether the data exists in an alternative form;
  • whether the data can be obtained in a manner which secures personal data and doesn’t unlawfully involve children in the development of technologies; and
  • whether the data is processed in a manner which is compatible with the principle of proportionality.

In addition, the source available to the entity should be a source that is both relevant and appropriate for the purpose. For example, if the purpose is to generate statistics about our visitors, it would be irrelevant to ask search engines like Google for the data, as these are not in-house data but are publicly available from which anyone can obtain.

Lawfulness Of The Processing

As we’ve established, one of the defining features of GDPR is that it is a data protection law. This means that it prescribes how data controllers and data processors should act in order to ensure that personal data is handled lawfully. In particular, it states that processing should always be undertaken with strict technical and organizational safeguards. These safeguards should be put in place at the beginning of the processing and should be periodically reviewed and updated as the processing requirements change.

In addition, lawfulness of the processing must be considered from the perspective of the individual whose data is being processed. In other words, we have to ensure that the processing is carried out in a way that is consistent with the rights and freedoms of the individual.


The last but not least is the minimal/maximal issue. Under GDPR, data controllers and data processors are legally required to ensure that processing isn’t excessive. Specifically, they must ensure that:

  • the data is not processed for more than what is necessary; and
  • the data is not processed for longer than is necessary.

The Regulation then goes on to provide detailed guidance on what exactly ‘more than what is necessary’ means in practice. Essentially, if the identified purpose of the processing can be achieved through the processing of less personal data, the controller or processor can legitimately request that the data be anonymized or deleted. But, if the data needs to be retained for future purposes, it has to be stored in a way that is appropriate and scalable. A simple rule of thumb is to ask yourself: ‘Does this data help me determine something about the person or entity? If so, it’s probably legitimate; if not, it’s probably excessive.’

Data Protection Officer (DPO)

DPOs are specifically mentioned in the GDPR to protect data subjects (individuals whose personal data is processed). Essentially, a DPO is a person (usually, but not necessarily, an employee) whose responsibility it is to ensure that personal data is handled lawfully and appropriately. Naturally, a DPO should also be knowledgeable about data protection laws and registers, as well as have the authority to raise objections if the law is being violated. Finally, a DPO should also be someone that the company can trust to handle sensitive data ethically and appropriately.

A person whose personal data is being processed is also known as a data subject. A controller is the person who determines the purposes for which the data are processed. The controller may be the same person as the data processor, or it may be someone else (typically, an employee or agency).


Recourse is the authority of the person whose personal data is being processed to seek redress against the controllers or entities that violate their rights. Under GDPR, the individual has the right to lodge a complaint with the supervisory authority of the country in which they reside. The supervisory authority will then examine the complaint and decide whether or not to take any action. The supervisory authority can also suggest improvements to the controller or data processor.

The individual then has the right to file a private claim with the European Commission. The Commission can then decide to impose a fine on the entity that is in violation. The fine can range from 2.4 to 4.8 percent of the annual worldwide revenue of the company.

The GDPR also provides for a system for anonymous reporting. This is a unique feature of the Regulation, as most other data protection laws provide for self-reporting by the data subject. With anonymous reporting, the person who submits the report doesn’t have to agree to be named, and the data subject’s personal data is not revealed to the public. Instead, the entity is obligated to delete the data from their systems after 30 days. Furthermore, the Regulation also provides for database dumps for research purposes, which must be done in a way that ensures patient privacy.

Scroll to Top