The legitimate interest that a website asks for is one way to determine how much a website is allowed to follow you. It has been around for a long time, but it has become even more visible.
When going to a new website, the surfer will usually be presented with a pop-up window asking for approval for cookies. Most click “accept” it without thinking.
If you decide to adjust your settings, you will often be presented with a mystical term called legitimate interest. It is one reason for the use of personal data.
These browser-based cookies are, in effect, the way personal information is collected online. Cookies are also used to track a user from one website to another.
If you even order shoes from an online store, a legitimate interest may well apply. It is therefore considered that in this situation the trader is entitled to a benefit, i.e. an advantage, from the customer’s personal data. These can be, for example, the customer’s name, e-mail address, telephone number, street address, or payment card information needed to sell and deliver the product.
A legitimate interest can often overlap with other grounds justifying the processing of personal data. It contributes to defining what the requester of personal data is allowed to do and what he can achieve with it. The legitimate interest is enshrined in the European Union’s general data protection regulation, the gdpr.
– For example, in situations where someone is a customer, there may be a legitimate interest, says the EDPS Anu Talus.
A legitimate interest alone is not sufficient to question, for example, a person’s state of health, political orientation or sexual orientation.
In general, the enjoyment of a legitimate interest presupposes that the processing of the requested personal data must be credibly within the remit of the controller.
Talus gives an example of a situation where there was no legitimate interest in the processing of personal data. Ten years ago, there was a service where tombstone data was to be brought online. In that case, no justification was found for a legitimate interest. This was before the general data protection regulation, when the matter was dealt with by the Data Protection Board.
According to the European Commission a company or organization often has to process personal information in order to perform business-related tasks. Where the processing of data may not be justified by a legal obligation or an agreement with an individual, the use of a legitimate interest may be considered.
According to the Commission, a legitimate interest relates to the processing of data in a customer relationship, for example in the context of direct marketing, the prevention of fraud or the safeguarding of the network and security of IT systems.
Legitimacy is a very sliding scale, as is what personal information can be processed in its name. There is no direct answer to where the border goes. These are dealt with on a case-by-case basis.
– A legitimate interest is a very broad ground for treatment [henkilötiedoille]. It always requires the registrar [kuten kauppias] weighs and evaluates the situation itself, Talus emphasizes.
Read those queries
A legitimate advantage is never a free card for the controller to process personal data. For example, a person may object to the processing of their data. Another typically used criterion is called consent.
Website permission requests are easy to bypass by agreeing to everything. However, Talus recommends reading them.
– Yes, they usually give that consent quite widely, Talus warns.
The EDPS has also seen a direct abuse of a legitimate interest. There have been situations where the user is first asked for consent to the processing of personal data and later, after the user has withdrawn his or her consent, the processing of the data has still been continued in the legitimate interest.
– This can’t be heard, Talus underlines.
Source site www.is.fi