There are new restrictions on the use of the "legitimate interests pursued by the controller or by a third party" ground for processing.
This ground can be applied "except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks."
This means that:
- the interests and fundamental freedoms of all data subjects must be considered;
- controllers must specifically consider the interests and rights of children;
- public authorities cannot rely on this ground in relation to personal data processed in connection with the performance of their tasks (which are set out in law).
Recitals 38 - 39 of the GDPR give further guidance, which includes the following examples of "legitimate interests":
- preventing fraud
- direct marketing
- ensuring network and information security
- reporting criminal acts or threats to public security to a competent authority
The "legitimate interests pursued by the controller" must also be considered in the light of the "reasonable expectations of data subjects based on their relationship with the controller".