An ‘interest’ can be considered as ‘legitimate’ when the Controller can pursue this interest in a way that complies with data protection and other laws.
Legitimate interest has been defined both in Article 6 1(f) of GDPR and its Recital 47. Especially the marketing purposes are avidly defined as legitimate in Recital 47 as follows; “…The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”
This doesn’t automatically mean that all processing for marketing purposes is lawful on this basis. You will still need to show that your processing passes the necessity and balancing tests.
When looking at the balancing test, you should also consider factors such as:
- whether people would expect you to use their details in this way;
- the potential nuisance factor of unwanted marketing messages; and
- the effect your chosen method and frequency of communication might have on more vulnerable individuals; like children.
Given that individuals have the absolute right to object to direct marketing under Article 21(2), it is more difficult to pass the balancing test if you do not give individuals a clear option to opt out of direct marketing when you initially collect their details (or in your first communication, if the data was not collected directly from the individual).
The legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.
You must balance your interests against the individuals. If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interests.