In our latest article in the series about GDPR we take a closer look at ‘legitimate interest’. What does it stand for and what might it entail for your business? Paloma’s CEO, Peter Berg, helps us clarify the concept.
Why has the issue of ‘legitimate interest’ arisen in connection with the new data protection regulation GDPR that enters into force on May 25 this year?
Answer: I think the issue has emerged because PUL, the Personal Data Act, the law that GDPR is replacing this spring, and the Marketing Act, MFL, raise specific situations and areas where saving data without consent is allowed.
Can you give some examples of such situations?
Answer: For example, in certain cases concerning direct marketing. According to PUL, your personal data may be processed without consent if it is clearly stated that the data controller’s legitimate interest outweighs the data subject’s interest in privacy protection.
What does the Marketing Act say about how we are allowed to use direct marketing without consent?
Answer: This is what MFL says about direct marketing, in a general sense:
‘A trader may, in their marketing to a physical person, only use electronic mail, telefax or such automatic calling machines, or other similar automated systems for individual communication that is not served by an individual, if the physical person has consented to this in advance.’
But the requirement for consent does not apply if:
- the data subject has not actively opposed mailings and e-mail marketing from you and your company;
- the marketing relates to the trader’s own, similar products or
- the physical person is clearly given the opportunity to, free of charge and in a straightforward manner, oppose the use of the data for marketing purposes when it is collected and with each subsequent marketing announcement.
How does GDPR’s ‘legitimate interest’ compare to PUL’s balance of interests and MFL?
Answer: In PUL and MFL, balance of interests means that you may save personal data without consent when marketing specific products – if a particular interest to the recipient exists!
In principle, the same balance applies with GDPR and after May this year it will still be possible to process personal data without consent. But it must be assessed on a case-to-case basis, and after considering the balance of interests. Direct marketing may be such a legitimate interest.
Are there any differences between PUL’s balance of interests and GDPR’s legitimate interest?
Answer: Yes, of course! GDPR places significantly higher demands on personal data protection. For instance, when it comes to saving personal data that belongs to children. The processing of personal data is only legal if it is absolutely necessary for your company or organisation to save the data, and if the data subject’s interests, rights and freedoms do not carry more weight and require special protection, such as when the data subject is a child.
What does the Swedish Data Protection Authority say about the difference between PUL and GDPR regarding balance of interests and legitimate interest?
Answer: The Data Protection Authority still refers to a brochure on balance of interests under PUL. Information about balance of interests according to PUL can be found here.