GDPR (10) Consent or legitimate interest

13 October 2017

In previous instalments of this blog, we looked at the different possible legal bases that exist for processing personal data. In some cases there are a number of legal bases that can be relied on. But how do you choose the best legal basis to justify your processing operations?

Answering this question is more difficult than it may seem. Nevertheless, it is important to take time to consider this aspect because the choice you make has consequences. Some legal bases provide more certainty in the long term than others. Switching between different possible legal bases, however, causes confusion and can create the impression that you are trying to mislead the data subjects.

The choice of legal basis is clear as long as the data in question is processed for the purpose of providing agreed services under a contract (e.g. contact details for orders, deliveries or the provision of services, and billing) or in connection with legal obligations. Choosing between obtaining consent from data subjects and relying on a legitimate interest, however, is much more difficult.

Requesting the consent of the data subjects always seems to be a good option but it also entails risk. If you request consent but fail to obtain it, this obviously means you are no longer allowed to process the relevant data. Imagine that you are planning a marketing campaign and you send a letter or e-mail to everyone listed in a file in order to request explicit consent to contact them in the future. As the response rate to this kind of communication is perhaps around 10%, the result would be that you would no longer be able to use the vast majority of your contacts.

You would, of course, be on safe ground in those cases where you could demonstrate you had obtained such consent. Obtaining consent would also allow you to create a positive image, by openly communicating your intentions and taking account of the preferences of your contacts. At the same time, however, it would make it difficult to disseminate your campaigns widely, and it would make it extremely hard to add any new recipients. Finally, there would always be a risk that at some point in time data subjects might go back on their decision and withdraw their consent, leading to a further erosion of your contact base.

In that case, what are the alternatives? You can always rely on the legitimate interest of your organisation as a legal basis. To continue with the example of a marketing campaign, a commercial organisation cannot function if it does not have the chance to present and advertise its products. As mentioned previously, you have to put your case together carefully. First of all, the data to be used for processing must be limited to data that is strictly necessary. Having less information automatically reduces the risk of a serious breach of privacy. A file that only contains contact details is obviously not as critical as a large data set that includes sensitive data.

Next, you need to take all measures necessary to properly protect the data and guarantee confidentiality. You have to demonstrate that the collected data cannot be used for another purpose. This will allow you to maintain a balance between the interests of the data subjects and those of your own organisation. It is best to keep brief notes (or more detailed notes, if appropriate) of the line of reasoning you followed in your records. In that case, if any disputes arise later on, you will always be able to demonstrate that you have been acting in good faith and have considered the right matters.

Unfortunately, even if you take all these measures you cannot rule out the possibility that a legitimate interest which is used as a legal basis may be challenged at any time. A data subject who feels they have been unfairly treated or a competitor that thinks you follow unfair practices may submit a complaint to the Privacy Commission, which may lead to an investigation and possibly legal action. The outcome of any such legal action will depend on how the auditors or court interpret the specific facts, and this may, of course, be different from your own assessment. In that case, you may be fined or prohibited from processing data, and you may have to pay damages. When giving its judgment and deciding on the remedial action to be taken, the Privacy Commission will take the overall situation into consideration. The facts will weigh more heavily in the case of an organisation that has failed to implement any aspects of the privacy legislation properly. If, however, you have taken the necessary measures and can put forward clear arguments as to why you believe certain processing operations are justified, the facts will not count as strongly against you.

We realise that this is not a clear answer and we have not provided a straightforward guideline, but privacy is a right that needs to be weighed against other rights and it will always be a matter of interpretation and debate. That said, common sense and an honest, open approach go a long way. The next thing you need to do is clearly communicate and properly document the perspective you have adopted. And it goes without saying that you need to take the expected security measures throughout the data processing process in order to limit the risk of data breaches.


Viktor D’Huys is the ICT manager of Group Joos. He is responsible for matters including data security and the coordination of the GDPR project. He is a Certified Information Security Manager (CISM certified by the ISACA) and has been awarded the CIPP/E (Certified Information Privacy Professional/Europe) credential by the IAPP (International Association of Privacy Professionals).

If you have any questions or comments, please write to us at