Legitimate interests

There are new restrictions on the use of the "legitimate interests pursued by the controller or by a third party" ground for processing.

This ground can be applied "except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks."

This means that:

Recitals 38 - 39 of the GDPR give further guidance, which includes the following examples of "legitimate interests":

The "legitimate interests pursued by the controller" must also be considered in the light of the "reasonable expectations of data subjects based on their relationship with the controller".