First of all, the GDPR recognizes multiple options for the legal basis of data processing, meaning, you are only allowed to process personal data based on one of the explicitly mentioned and predetermined bases. You must choose one legal basis per processing purpose — but different purposes can rely on different bases. As an example, an address could be used for billing and for package delivery as well.
Before you do anything with personal data, you have to decide the legal basis in advance and consider the consequences of your choice. Without further ado, let’s see the difference between consent and legitimate interest as legal bases.
Consent
Seems straightforward — we’ve all done it. But there are some things worth knowing about it. As a best practice (or we could say better to be safe than sorry way) requires an explicit and provable way of collecting consent in advance. You have to manage these records, and if someone wants their data deleted, generally you must comply and confirm the deletion.
(There are always exceptions like legal obligation or exercise of legal claims which would prevent deletion for a time and it just prevent it from using for a specific purpose. Imagine, someone steels from a shop and then asks to delete the camera footage. It makes perfect sense to keep the recording as evidence for the legal proceedings. But these are rather special cases as the example also suggests.)
Consent also has to be freely given, which complicates things in certain cases. For example, in employment matters, you can often argue whether the person really had a choice. Also, can you ensure that your electronic backups can be handled in a way that allows you to remove the data in a practical manner?
Legitimate Interest
This is a potentially much better legal basis, as the person concerned has no automatic right to have their data deleted, which can be much simpler from an operational point of view — think of deletion from backups or maintaining the integrity of your records. Sounds good?
There are still important things to consider: the GDPR prohibits processing of personal data by default (you need one of the 6 legal bases to do so), so you must prove that you need this data for your business, that the processing aligns with your actual business needs, and that it does not override the rights of the individual.
(Although, the data subject still have right to object and ask for deletion, in case, you are able demonstrate compelling legitimate grounds that override the individual’s rights, hence you may keep the data.)
What do you need to do?
You have to assess the aforementioned factors and additional ones… but how? The magic term is the Legitimate Interest Assessment (LIA). Yes, it’s true it’s requiring more documentation, but it provides significant advantages.
UK’s ICO has a great explanation page to understand the basics the LIA: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/legitimate-interests/how-do-we-apply-legitimate-interests-in-practice/
Let’s see how this would look in a general case (note: each EU country may have slight divergences, as the GDPR — as the name suggests — is the General Data Protection Regulation, and member states are allowed to set additional rules).
Let’s use the examples from the previous post to better understand how it works:
- a small yoga studio offering online classes,
- a local animal rescue NGO coordinating volunteers,
- a neighborhood bakery running a simple loyalty program.
Example 1: Yoga Studio
In the case of the yoga studio newsletter, consent was the right choice — but in certain cases, you may utilize legitimate interest with the same email addresses. Imagine your yoga studio is in a business relationship with the local sports store. You support each other: the sports store sends people your way, and you recommend the sports store for yoga mats. Now the sports store has a great New Year’s deal on yoga mats, so you send this offer to the people who signed up for your newsletter. This can be based on legitimate interest, but I would always recommend being upfront with people who sign up for your newsletter if you have such intentions, as transparency is one of the cornerstones of data processing.
Please note that many EU countries require prior consent for marketing emails. Recent ruling further clarified the rules around it: https://www.lexology.com/library/detail.aspx?g=bbdc6fd3-9b60-47d9-81ca-1b2bda4d9166
Example 2: Animal Shelter Volunteers
If we look at the animal shelter volunteer list, the picture changes. Consent looks good at first glance, and you may have seen similar cases where someone asked for your consent. But let’s say you want to keep records of when a volunteer worked or who handled certain tasks based on their schedule. If you relied on consent, you would be in trouble if the volunteer asks to withdrew it — you would have to delete these records as well. We would argue that it is a legitimate business interest to hold onto this information, right? So if there is no other legal basis available, legitimate interest would be more appropriate and logical here instead of consent.
Example 3: Neighborhood Bakery
In our last example — the neighborhood bakery with a simple loyalty program — the answer is simply: it depends. It’s the favorite answer of compliance professionals, as the devil is in the details, and the correct response or alternatives can only be given when the full picture is clear. To determine the right legal basis, we first need to understand how, what, and why data is being processed. Is it a simple paper system where a stamp is added to each paper card and no name or other identifier is collected? Then the GDPR does not apply, and no action is needed at all.
But what if there is an app that requires registration or tracks users in a way that makes them easily identifiable (e.g., via location data)? That’s already a much more complicated situation.
If you want to know what to do in similar cases — or in a completely different one — please contact us and let’s see how we can help.