Legitimate interest

Legitimate interest is one of the six legal bases provided by the GDPR that justify the processing of personal data, in addition to consent, contractual obligations, legal obligations, vital interests, and the performance of a task carried out in the public interest. According to Article 6 of the GDPR, legitimate interest allows a company to process personal data when the processing is necessary to pursue a legitimate interest of the data controller (i.e., the company), provided that such interest is not overridden by the rights and fundamental freedoms of the data subject.

A common example of processing based on legitimate interest can be analyzing customer data to improve product and service offerings or sending promotional communications in specific contexts.

The recent guidelines published by the EDPB (October 2024) clarify that to apply the legal basis of legitimate interest, three cumulative conditions must be met (and documented in accordance with the accountability principle):

1. Pursuit of a legitimate interest by the data controller.
2. Necessity to process personal data to achieve such legitimate interests: in particular, the guidelines specify that this processing is considered necessary when the underlying legitimate interest cannot reasonably be achieved as effectively by other less restrictive means.
3. Balancing of interests between the data subjects and the data controller, which must favor the data controller while always respecting the rights of the data subjects.

Trust Guardian’s approach to Legitimate Interest
Trust Guardian facilitates its management by centralizing information on purposes based on legitimate interest, monitoring compliance, and keeping track of the evidence needed to demonstrate the legitimacy of the processing for each data subject. This approach not only reduces the risk of sanctions but also improves data subjects’ trust, ensuring that their rights are respected and that each processing activity is justified transparently and responsibly.