Recognised legitimate interest guidance
About this guidance
These pages sit alongside our brief guidance [not yet available] and provide more detailed guidance for UK organisations on recognised legitimate interest under the UK GDPR.
For an introduction to the key themes and provisions of the UK GDPR, you should refer to the UK GDPR guidance and resources.
This guidance is aimed at UK organisations to help you use the recognised legitimate interest lawful basis in a way that complies with your obligations under the UK GDPR and Data Protection Act 2018 (DPA). We refer to these as ‘data protection law’.
It explains the lawful basis of recognised legitimate interest and how you can use it.
How should we use this guidance?
To help you to understand the law and good practice as clearly as possible, this guidance says what organisations must, should and could do to comply.
Legislative requirements
- Must refers to legislative requirements.
Good practice
- Should does not refer to a legislative requirement, but what we expect you to do to comply effectively with the law. You should do this unless there is a good reason not to. If you choose to take a different approach, you must be able to demonstrate that this approach also complies with the law.
- Could refers to an option or example that you could consider to help you to comply effectively. There are likely to be various other ways you could comply.
We have highlighted these words throughout this guidance for ease of reference.
Contents
What is the recognised legitimate interest basis?
What does the UK GDPR say about recognised legitimate interest?
What counts as a recognised legitimate interest?
What are the benefits of using recognised legitimate interest?
What’s the difference between recognised legitimate interest and legitimate interests?
When can we use recognised legitimate interest?
Why is it important to be clear what our purpose is?
Can more than one recognised legitimate interest condition apply at the same time?
Can public authorities use recognised legitimate interest?
Can we use recognised legitimate interest for children’s information?
Can we use recognised legitimate interest for special category data?
Can we use recognised legitimate interest for criminal offence data?
Can we use recognised legitimate interest to share people’s information?
Can we use recognised legitimate interest for automated decision-making?
What are the recognised legitimate interest conditions?
Public task disclosure request condition
What is the public task disclosure request condition?
When is the public task disclosure request condition likely to be appropriate?
What does a valid public task disclosure request look like?
How do we decide what’s necessary for this condition?
Can we decide not to share the personal information requested?
National security, public security and defence condition
What is the national security, public security and defence condition?
How do we apply the national security, public security and defence condition?
Emergencies condition
What is the emergencies condition?
How do we apply the emergencies condition?
Crime condition
How do we apply the crime condition?
Safeguarding condition
What is the safeguarding condition?
How do we apply the safeguarding condition?
Will this condition be appropriate for safeguarding in all circumstances?
How do we deal with changes in someone’s situation?
What else do we need to consider?
What other data protection obligations apply?
What do we need to tell people?