What else do we need to consider?
In detail
What do we need to tell people?
You must tell people:
- what your purpose for processing personal information is;
- that you’re relying on legitimate interests as your lawful basis; and
- what those legitimate interests are.
You must include this in your privacy information. You must also ensure that you actively communicate your privacy information to the people affected.
Further reading – ICO guidance
What if our purposes change?
If your purposes change over time, or you have a new purpose which you didn’t originally anticipate, you may be able to use legitimate interests as a lawful basis. But you must ensure your new purpose is compatible with your original purpose.
The UK GDPR sets out the circumstances where the reuse of personal information is compatible with the original purpose you collected it for. These are when:
- you get new consent for the reuse from the person whose information it is;
- you want to reuse the personal information for scientific or historical research, statistics or archiving in the public interest (in accordance with UK GDPR rules on these purposes);
- you want to use the information to ensure or demonstrate compliance with a data protection principle;
- you want to use the information for a purpose described in a condition listed in annex 2 of the UK GDPR; or
- your use is necessary to safeguard a public interest objective listed in article 23(1) of the UK GDPR, and what you want to do is authorised by law.
If you can’t meet one of these circumstances, you must carry out a compatibility assessment. This is to comply with the UK GDPR’s purpose limitation principle.
A compatibility assessment is likely to look at similar factors to an LIA because it considers:
- your purpose;
- reasonable expectations;
- impact on people; and
- possible safeguards.
You should also do a fresh LIA. This helps you demonstrate compatibility and that legitimate interests applies to the new purpose on its own merits.
Remember that, even if your use of the personal information for a new purpose is lawful using legitimate interests, you must still:
- consider whether it is fair and transparent;
- ensure it complies with the purpose limitation principle (or satisfies an exemption from that principle); and
- give people information about the new purpose.
Further reading – ICO guidance
For more information on reusing personal information and compatibility assessments, see our guidance on purpose limitation.
What rights do people have?
Most of the data protection rights are available to people when you rely on legitimate interests as your lawful basis.
However, the right to data portability doesn’t apply in this circumstance. It only applies if you’re relying on consent or contract as your lawful basis. So, if you rely on legitimate interests, you don’t have to comply with portability requests that people make.
But you must not choose legitimate interests in order to stop people exercising this right. This creates an unwarranted impact on people’s rights and makes it challenging to rely on legitimate interests in the first place. If consent or contract is more appropriate, you must consider them instead.
People also have the right to object to processing on the basis of legitimate interests. However, unless you’re using personal information for direct marketing, this right isn’t absolute. You may be able to show a compelling reason for you to continue to use the information, even if someone has objected to that use.
To demonstrate you have "compelling legitimate grounds" to override someone’s right to object, you must have a strong justification to keep using their information. This is more than simply repeating the balancing test. And you should consider the reasons why the person is objecting.
The right to object to direct marketing is absolute. This includes profiling when it’s for the purposes of direct marketing. No compelling legitimate interests overrides this right. So, if someone objects to you using their information for direct marketing, you must stop using it for that purpose. (See the section Can we use legitimate interests for our direct marketing activities? for more information.)
Remember, people can exercise their rights at any time. You must make people aware of their rights and clearly bring these to their attention. You should make it easy for them to exercise their rights.