Lawful basis Part II.

As the entry into force of the GDPR approaches, we continue in our search for the most appropriate lawful basis and assess each requirement. The most discussed kind of legal basis is “legitimate interests”. It is the most flexible one and is designated for various situations, where the others obviously don’t fit. Nevertheless, you cannot assume it will always be appropriate or applicable. If you choose to rely on legitimate interests, you must take into account the responsibility for assessing and protecting people’s rights and interests.

There are particular steps a controller needs to take to be able to rely upon its Legitimate Interests subject to:

  1. Determining the legitimacy of an interest: interest must be lawful, therefore in compliance with relevant laws, clearly articulated allowing the balancing test to be carried out and represent not speculative, but real and present interest.
  1. Determining the necessity for achievement of pursued interest: other, less invasive methods are unavailable to achieve the legitimate interest.
  1. Carry out a Balancing Test

Several factors must be considered when weighting the legitimate interests. These include the nature of the interests, the impact of processing and any safeguards which are or could be put in place. The nature of the interests includes the reasonable expectations of the individual about the processing taking place and the type of data. The impact of processing includes positives and negatives and also the likelihood and severity of impact on the individual.

Few recitals of the GDPR provide us with the examples of legitimate interests. Processing of personal data for direct marketing may be regarded as carried out for legitimate interest. Since consent is not viable or preferred everywhere, although you will still need to show there is a balance of interests. Of course, any individual can object to direct marketing and it is one of the examples of legitimate interests for which objection is already fairly well understood and easy to action (e.g. unsubscribe link).

Relevant and appropriate relationship, such as where the individual is a client, will be very commonly used legitimate interests. If the client has expressed his interest in the previous campaign, the controller may certainly approach him with the e-mail about the upcoming campaign. Whereas I would definitely recommend double opt-in style, proving information about the legitimate interests as well as about the rights of data subjects.

Some reasons for legitimate interest are meant for the controller to be able to ensure his safety and the personal data safety. Processing for preventing fraud and transmitting personal data within the group of undertakings for administrative purposes applies here. Furthermore, the processing for the purposes of ensuring network and information security.

Where legitimate interests are relied on in relation to specific operations, this will now need to be set out in relevant information notices. Individuals are able to object to processing based on legitimate interests. The burden now lies on data controllers to prove they have compelling grounds to continue processing the data.

For all we have stated to lawful basis issue in the GDPR there is an exemption, namely Sensitive personal data. In order to process special category data lawfully, you must identify both a standard lawful basis (art.6) and a separate condition for processing special category data. Those bases do not have to be linked. You must determine your condition for processing sensitive data prior to processing and document it. The choice of lawful basis is independent. For example, if you use consent as your lawful basis, you are not restricted to use the explicit consent for special category processing.


Lawful basis management is necessary for the GDPR solution in every bigger organization processing personal data, as it would not be efficient to engage several employees with this. If you want to build strong process to control lawful basis, you should:

  • Review all activities regarding data processing,
  • Reveal and record lawful basis for each processing activity,
  • If consent is the basis for processing, set its GDPR’s standards,
  • If legitimate interest is the basis for processing, assess the legitimate interest in consideration with the rights of data subjects and maintain records for the accountability
  • Document and manage lawful basis to achieve accountability.

Here is an example how we deal with lawful basis management using our identity management software – midPoint.

Evolveum's midPoint - lawful basis
midPoint’s lawful basis management screenshot

Leave a Reply

Your email address will not be published.