The GDPR prohibits a company from processing personal data unless one of six “lawful purposes” are present. One of those lawful purposes occurs when processing is necessary for a “legitimate interest pursued by the controller or by a third party.”1
While there are an infinite number of “legitimate interests” that controllers can point to when processing personal information, the following includes a non-exhaustive list of legitimate interests commonly utilized by controllers:
- Debt collection;
- Direct marketing;
- Employee monitoring for management purposes;
- Employee monitoring for safety;
- Enforcement of legal claims;
- Management of whistle-blowing programs;
- Network security;
- Physical security;
- Prevention of fraud;
- Prevention of misuse of services;
- Research and development; and
- Unsolicited non-commercial messages.2
This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes. You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.
1. GDPR, Article 6(1)(f).
2. WP 217 at 25.