The term “legitimate interest” refers to the reasonable business purpose
that the market research company processing the personal data may have to process data. This may include a benefit inherent in the processing of the company itself or society at large.
The GDPR provides that the legitimate interests of the controller (or third parties) must be necessary for these purposes, except where such interests are overridden by the rights and freedoms of the data subject which require protection of personal data. This means that researchers need to determine
whose legitimate interests (market research company or a third party) and understand what exactly the legitimate interests are.
Researchers using legitimate interests as a lawful basis, need to, first of all, do an assessment before processing any personal data of respondents. This assessment is referred to as a balancing test
. The balancing test is weighing between what the controller considers a legitimate interest on the one hand, and what the rights of the data subjects are on the other hand.
The balancing test must always be conducted fairly, there are several factors
that need to be considered, these include:
- The nature of the interests of the controller and the reasonable expectations of the data subject (respondent). Is there already an existing relationship between the market research company and the respondent?
- The impact of the processing on the respondents’ rights and freedoms and the severity of that impact; for this purpose, it is useful to consider the particular status of the respondent (i.e. a child, an employee, a customer etc.)
- Safeguards which are in place or could be put in place: the market research company needs to ensure that there are appropriate technical and organizational measures in place that will protect the respondent, and mitigate any risks or potential negative impacts of the processing.