GDPR and Legitimate Interests and The Right to Object

Transcript of the Video

Good evening, ladies and gentlemen. Suzanne Dibble here, data protection law expert, coming to you raw and uncut. Just a quick video tonight due to lack of sleep on the plane and jet lag.

I was putting together a video in relation to the query about Facebook retargeting, which is a really interesting area, but it's going to take more brain power than I have at the moment to do a video on that.

I came across something that I know I haven't really talked about before, so I thought I'd do a standalone video on this for ease of reference.

Now, if you've watched any of my training already, you'll know that one of the first steps of working this whole puzzle out is what is my lawful ground of processing a personal data, and you'll know that consent is just one of those grounds. The other ground that we talk about a lot is legitimate interests.

Legitimate interests is a ground that is a little bit gray. It's not black and white. You have to carry out a balancing test. There's a legitimate interest assessment form in my pack that, really, you have to carry out every time you want to rely on legitimate interests and keep that on record.

In summary, legitimate interest allows you to process data without people's consent because this is a standalone ground of processing in its own right. Subjects always to what I say about PECR. Now, watch my videos on that, but ultimately, legitimate interests, if it's within your legitimate interests as a data controller, which we know direct marketing is a legitimate interest, for example, because the recitals tell us that. If it's a legitimate interest, and you've balanced that against any impact on the rights and freedoms of the individuals, and those rights and freedoms don't outweigh your legitimate interest, then you can process under that ground.

Now, it's a bit more complex than that, and please do watch the videos that I've specifically done on legitimate interest, but what I haven't talked about is where you are relying on legitimate interest, it's the right to object, and that's what I'm going to be talking about on this video.

So, we know that if you're processing data on a consent ground that we have to give the data subject the right to opt out. I think everyone's kind of understood that, but what we haven't talked about is what happens with legitimate interest. Now, it's not phrased as an 'opt-out,' it's phrased as a 'right to object to the processing' that is based on legitimate interests, and there are two different parts to this ... Well, there's more, but for our purposes, we're going to focus on two different parts. One is for the right to object for direct marketing, and the other is pretty much everything else.

If somebody does object to you processing under the grounds of legitimate data, then you must stop that processing unless you can demonstrate compelling, legitimate grounds for the processing which override the interests, rights, and freedoms of the individual or the processing is for the establishment, exercise, or defense of legal claims. Again, it's very much on a case by case basis as to whether you can demonstrate that compelling, legitimate grounds that override the interests, rights, and freedoms. At the moment we don't have any examples as to what that might be, but you need to be comfortable, and obviously, if you are going against a right to object, you need to be very, very comfortable that you have compelling, legitimate grounds that override the rights and freedoms of the individual.

Now, with direct marketing, if you're using legitimate interest as a grounds for direct marketing, and I've done videos on that separately, so if you're confused about that and when you can rely on legitimate interest for direct marketing, go and have a watch of those videos. I'm also going to be including it in the webinar that I'm doing next week about marketing, all different types of marketing areas and GDPR.

If you receive a right to object to processing personal data for direct marketing purposes, then you must stop processing that personal data as soon as you receive an objection, and there's no exemptions or grounds to refuse that right. You've got to deal with it, I'd say, straight away and free of charge.

That's the two distinctions, okay. For direct marketing purposes, you've just got to stop the processing. If you're relying on legitimate interest as the ground to processing and someone objects, you've got to stop.

With pretty much everything else, there's a couple of other tweaks like scientific and historical research and statistics, and performance of a task in public interest or in the exercise of official authority, but ultimately if you are a direct marketing, and somebody says, "Stop it," you have to stop it.

With direct marketing then, what the easiest thing to do is to treat it in the same way as an opt-out. So, if you're relying on legitimate interests, what you need to do is you need to actually inform individuals of their right to object. Now, the ICO guidance says, "At the point of first communication, and also in your privacy notice, it must be explicitly brought to the attention of the data subject, and shall be presented clearly and separately from any other information." It's the same for a direct market as for anything else.

In a similar way that when you start emailing people when it's based on consent, you would say, "You have the right to opt-out at any time," and you always have that 'unsubscribe' link at the bottom of your email. It's pretty similar where you're relying on legitimate interests. You need to advise on the point of first communication, that first marketing email, or whatever it is; you need to advise them of their right to object.

Firstly, you need to tell them that you are processing on the basis of legitimate interest. You would do that in your privacy policy, and then you would tell them that they're able to object, and essentially, that is the same as an opt out. They would click on the link and then be removed from your direct marketing.

Okay, I think that is all. Yeah, so if you are processing activities that are carried out online, so if you're doing email marketing or something like that, then you have to offer a way for individuals to object online. You couldn't say in your privacy policy, or in the body of the email, "To object please write to us at such an address." You would have to have a way of them doing it online.

So, that is what we need to be thinking about when you've decided to rely on legitimate interests as your basis for processing.

I'll try and dig out some examples. I've not actually seen any in the body of an email where somebody said, or where somebody's phrased it as, you know, "We're relying on our legitimate interest for this marketing. You have a right to object at any time." I've never seen words like that at the bottom of an email, so I'll do a bit more digging and see if I can find any examples of that.

I just wanted to bring that to your attention because, as I say, I don't think we've touched on that before.

Okay, so I hope that's clear. As I say, I am going to be soon doing a video on Facebook marketing, and I'm not sure at the moment, I'll have to see when I scope out the content for the webinar, whether I'll include that in the webinar, or whether I'll do a separate video on Facebook marketing because I know it is a big gray area for lots of us.

You know, I use Facebook ads and do retarget in my own business, and I have looked at it a number of times and I'm just really struggling to find any guidance, to be honest. There is stuff online which is from people selling solutions that ... Anyway, I won't go into it.

It's always interesting when you read blogs online, and you can clearly tell that from their interpretation it's because they're selling stuff. Yeah, it's sort of a marketing solution that lends itself to one interpretation, or another, but I'm still on the case with that. As I say, that will either be in the webinar next week or a standalone video.

If you haven't already, and you've got marketing questions that you feel haven't been answered in the group, or you'd just like more of a general overview, then please find the post that I did yesterday that talked about the webinar, and pop your comment on the bottom of that so that I can make sure I cover that in the webinar.

Okay, well I'll leave it there, and I hope to see as many of you as possible on the webinar. It will be a good opportunity to pull it all together and get all of your questions out in the open, and any concerns that you've got on the marketing side.

Okay, take care, guys. I'll see you soon.