Legitimate interest as a basis for processing

The most discussed alternative to consent, both under the Data Protection Act and under the GDPR is legitimate interest. The main advice is that while it is possible to use legitimate interest instead of consent in some cases, it is a basis that should be used carefully and always choose consent when the possibility exists.

Legitimate interest is helpful in certain cases. A good example is that of a finance company which is unable to locate a customer that has stopped making his payments. The customer does no longer live at the address given in the contract and he has not provided the new address to the company. In order to seek payment of the debt, the financial company seeks help from a debt collector. It is obvious the customer’s consent was not obtained for this transfer. However, the situation is a clear example of legitimate interest, that does not need the customer’s consent.

Even in this condition, where the interest of the company clearly overrides that of the customer, the processing of the information has to be fair and lawful. For example, the financial company has to make sure the data transferred to the debt collector is accurate and that only relevant data for the purposes of the processing is shared.

When the processing is necessary

Necessity of processing does not always override consent, but when it does, certain conditions must be met. For example, we can define as necessary the processing that occurs in relation to a contract which the data subject has entered into. In the same idea, when the data subject makes a request in order to enter a contract, we have necessary processing.

“Vital interest” of the data subject is also found in this category. However, this condition will mostly apply in life and death situations, when the medical history of a patient needs to be disclosed for emergency treatment.

Something to note here: if the organization can achieve the purpose in a different manner or if the necessity is related only to how the business operates but not to the interest of the data subject, the conditions for processing to be necessary are not met and consent is required.