GDPR – Legitimate Interest

I’ve been getting a growing number of emails similar to this one received today:


It is worrying that with GDPR just around the corner that personal data is being marketed in this way – and I’ve already brought it to the attention of the Data Protection Officer.

For processing of personal data to be lawful it has to meet one of the criteria on this illustration used in our training sessions:

Lawfulness of processing

For a lot of business in Guernsey, processing should rely on contractual obligations with the client, legal obligations (e.g. CRS/FATCA, AML, etc).  Consent is a possible basis too, but comes with significant drawbacks – i.e. it can be withdrawn at any time.  A growing band of businesses however seem to think that ‘Legitimate Interests’ justifies any sort of processing they might want to conduct for business purposes.  This is absolutely not the case.

The Information Commissioners Office in the UK has been explicitly clear on this:

It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing….

There are three elements to the legitimate interests basis. It helps to think of this as a three-part test. You need to:

  • identify a legitimate interest;
  • show that the processing is necessary to achieve it; and
  • balance it against the individual’s interests, rights and freedoms

Selling people’s contact information as suggested in this email might be in the business interests of the entities doing it, but is it really how people who give email addresses to a Chamber of Commerce expect their info to be used? Is it really balancing the individual’s interests, rights and freedom when they don’t know their information is being sold and the company responsible leaves it in the hands of the purchaser? The selling on of personal information seems a particularly risky legitimate interest, given a lack of knowledge of how it would be used.

Using ‘Legitimate Interests’ means the data controller takes on the extra risk of getting this wrong.  If you are planning to use it then make sure it’s a well considered rationale and no other more appropriate basis is applicable.  I’ll leave you with a quick update on getting this horribly wrong….

Holmes financial

Full article available at


Author: Tommy (ápeiron)

I started ápeiron alongside some longstanding comrades from the finance industry in Guernsey. I've moved as a qualified accountant to the island in 2003 with my family and have been providing services to the finance sector ever since. Those services have included advisory, consultation, audit, financial due diligence, pre-GFSC visit health checks, forensic accounting and lots and lots of reporting engagements. I've worked with a number of household name top Accounting firms helped develop their own quality and industry standards.

Leave a Reply