GDPR Ready

The General Data Protection Regulation ("GDPR") is the primary piece of legislation in Europe that significantly impacts all aspects of personal data processing. While the GDPR imposes significant changes on businesses, such as monetary fines of up to 4% of global revenue or 20 million euros, it also expands the rights of data subjects, such as "right to be forgotten" claims. In such a dynamic world where privacy is "by design," the guiding idea should be to provide owners more control over their private data.

Given that explicit consent is the fundamental need for data processing, "legitimate interest" is one of the exceptions and the most flexible legal foundation for processing.

We are treating it with caution because to its flexibility and fragility! We closely monitor the related European governmental and independent regulatory agencies and have painstakingly adapted our operations to their standards.


An 'interest' can be regarded 'legitimate' if the Controller can pursue it in a manner consistent with data security and other applicable laws.

Legitimate interest is defined in both Article 6 1(f) and Recital 47 of the GDPR. Recital 47 expressly determines marketing purposes as legitimate: “…the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate aim.”

This does not, however, imply that all processing for commercial reasons is permissible on this basis. You must still demonstrate that your processing meets the requirements for necessity and balance.

When considering the balance test, you should also take this into consideration:

  • if individuals would be expected you to utilize their information in this manner;
  • the annoyance factor associated with unwanted marketing messages; and
  • Consider the impact your communication technique and frequency may have on more susceptible persons, such as children.

Given that people have an equal right to object to marketing strategy per Article 21(2), it becomes harder to pass the balancing test if you do not provide consumers with a clear choice to opt out of direct marketing at the time their information is collected (or in your initial communication with the subject, if the information was not gathered directly from them).

Legitimate interests may be your own or those of third parties. They may be commercial, individual, or societal in nature.

It would be best if you weighed your own interests against those of others. If they did not reasonably anticipate the processing or if it would result in unjustifiable harm, their interest are likely to take precedence over your legitimate interests.


Indeed, “Yes.” This form of processing is also legal if legitimate interests justify it, but you must follow the three-part Legitimate Interest Assessment criteria.

Consider using legitimate interests as a legal justification for such processing. You must, however, define the exact reason for which the processing is being carried out and ensure that the processing is genuinely essential for that purpose.

If you pass the first two components of the three-part test, you must also pass the balancing test. You may discover that it is uncomplicated, as business contacts are more likely to anticipate processing their personal data in a commercial context reasonably, and the processing is less likely to have a material impact on them personally.

Please see for additional information on the legitimate interest principle and its assessment test, which we have also strictly followed and applied in our business operations or contact us via e-mail.