GDPR Legitimate Interest Examples

  • 10th January 2022/

Legitimate Interest – a B2B Marketing Approach

Prior to May 2018 when GDPR came into effect, most responsible data providers had already been preparing for GDPR for two years. This was incredibly important to work out how the industry was going to cope with the new, more restrictive regime. We hold no data at UK Marketing, and are not part of the process of gaining and maintaining third party data, but we have been very active in helping to form the industry-wide collective approach to the GDPR.

Since GDPR’s implementation we have also been regularly in touch with both the ICO and the DMA to discuss issues that arise for B2B marketers. In addition, we have undergone an extensive review and due diligence process on all our UK and overseas suppliers to ensure that their data collection is compliant with GDPR, and that their systems are robust enough to be able to deal with the rigours of GDPR, with respect to areas like Subject Access Requests, for example.

Our suppliers have adopted different approaches for the legal processing of personal data. Some have gone down the ‘consent’ route, whilst others use ‘legitimate interest’. Under GDPR no single legal basis has precedence over another. They are all treated equally, but crucially the two legal bases are both permitted for direct marketing.

When using data that is consented then the situation is clear. The data subject has opted in to receive marketing from the company sending it. Clearly this is very restrictive for prospecting as the data subject may not have heard of you, although they may well benefit from your services.

Legitimate interest is when, after an assessment and a balancing test has been conducted, it is surmised that on balance, your interests in sending the marketing materials are not outweighed by those of the data subject. This needs to be carefully considered:

“[Legitimate interests] is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.” (ICO, Legitimate Interests).

On balance, if you can surmise that the data subjects would expect to receive messages about your services during the course of their work, then you meet the criteria. It is quite subjective.

Our suppliers using LI have been sending messages to their European data subjects informing them of what data is held on them and why it is being held. Data subjects have been given the opportunity to opt-out and also to study the supplier’s privacy policy. They have also been informed that third parties may use the data on the grounds of legitimate interest. The approach was championed by the DPN and tacitly supported by the ICO. We believe that if carefully done this approach is compliant. It does, however, require that you also complete the assessment and that all your communications are both compliant, and relevant to the data subject.

What Is Legitimate Interest for GDPR?

Let’s examine the definition of ‘legitimate interest’. The reason it is sometimes confusing is because the bases on which data can be used is flexible under the definition. Frequently, the main condition is that if the data is used in a way the subject would expect, it normally qualifies as legitimate interest. Other key factors that are good indicators:

  • There is a small risk that the processing of the data infringes on privacy
  • There is not a lawful requirement to process the data, but there is a clear benefit to doing so

Does Legitimate Interest Apply For Marketing?

A frequently asked question is whether legitimate interest can apply when it comes to direct marketing. The answer is yes, it can, depending on a number of factors.

Direct marketing is one of the main reasons that businesses collect customer and prospect data. Consent is required, of course, and the GDPR Regulation does specify in recital 47 that ‘the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest’.

If you’re not confident or comfortable that your use of data for marketing would qualify under ‘legitimate interest’, you can follow the 3 step test in the next section to help determine whether or not it would.

What Is The GDPR Assessment For Legitimate Interest?

To determine whether a data provider has a basis for processing data under the banner of legitimate interest, there is a three part test which can be taken. It is broken down into the following sections:

1. The purpose test (identify and confirm the legitimate interest)

There are lots of reasons that could be considered ‘legitimate interest’. They could be your interests, those of a third party, or commercial interests. Some interests are likely to be considered ‘legitimate’ as they are necessary for administrative or compliance purposes. Questions to ask include:

  • Why do you want the data?
  • Who benefits from the processing?
  • Would the use of the data be unlawful or unethical?

2. The necessity test (consider if the processing is necessary for the purpose)

‘Necessity’ in this context means that the processing of data is a reasonable way of achieving your aim without a less intrusive way of achieving the same result. Questions to ask include:

  • Is the processing reasonable?
  • Is there a less intrusive method you could use to achieve the same result?

3. The balancing test (consider the subject’s interests and whether or not they take precedence over the legitimate interest).

Balance your interests against those of the data subject. In general, interests are more likely to be considered legitimate if the processing is within the reasonable expectations of the individual. However, your interests do not have to be the same as the data subject. It can still be valid as long as there is a justification for any impact on the subject. Questions to ask include:

  • What is your relationship with the subject?
  • Would they expect you to use their data in this way?
  • What is the possible impact on them?
  • Can you offer an opt-out?

GDPR Legitimate Interest B2B Examples

Here are some case studies of businesses that would have legitimate interest in making contact with a list of business emails:

Example 1

Scenario: A toy company produces a colourful wall calendar for children, and wants to increase sales by approaching other outlets who may be interested in stocking the calendar.

Email database: decision-makers at garden centres, book shops, calendar shops, childrens’ shops, stationers.

Legitimate interest rationale: these businesses sell calendars or products for the same target audience and may be interested in extending their range of calendars.

Example 2

Scenario: An organisation that specialises in cleaning products or services wants to increase its reach by marketing and selling to a broader customer base in the cleaning services sector.

Email database: named senior decision-makers such as MDs, owners and directors at cleaning companies, with budgets to purchase cleaning products.

Legitimate interest rationale: these businesses use the products and services provided by the cleaning product provider, and may potentially want to use them as a supplier.

Example 3

Scenario: A financial services, legal practice or property management services company wants to quickly and easily contact a list of estate agents who could be potential clients.

Email database: Owners and directors of estate agencies who will make the decisions about suppliers and partners.

Legitimate interest rationale: the range of services on offer are all of potential interest to estate agents.

Example 4

Scenario: A pet food supplier is looking to broaden its audience by selling their product in more outlets.

Email database: A list of senior personnel at pet shops including company name, individual name, job title and email address, phone numbers, revenue size indicator.

Legitimate interest rationale: the supplier’s products are a good match for the outlets they’re contacting and the pet shops may be interested in stocking the products.

If you’re in need of contact lists, we have quality, fully verified and compliant business lists for mailing and email at the best prices. To find out more, get in touch

Related Posts

Comments are closed.