As a company/organisation, you often need to process personal data in order to carry out tasks related to your business activities. The processing of personal data in that context may not necessarily be justified by a legal obligation or carried out to execute the terms of a contract with an individual. In such cases, processing of personal data can be justified on grounds of legitimate interest.
Your company/organisation must inform individuals about the processing when collecting their personal data.
Your company/organisation must also check that by pursuing its legitimate interests the rights and freedoms of those individuals are not seriously impacted, otherwise your company/organisation cannot rely on grounds of legitimate interest as a justification for processing the data and another legal ground must be found.
Your company/organisation hasa legitimate interest when the processing takes place within a client relationship, when it processes personal data for direct marketing purposes, to prevent fraud or to ensure the network and information security of your IT systems.
- Article 6 and Recitals (47), to (49) of the GDPR
- Article 29 Working Party Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC