An ‘interest’ can be considered as ‘legitimate’, as long as the Controller
can pursue this interest in a way that complies with data protection and
Legitimate interest has been defined both in Article 6 1(f) of GDPR and its
Recital 47. Especially the marketing purposes are avidly defined as
legitimate in Recital 47 as follows;
“…The processing of personal data for direct marketing purposes may be
regarded as carried out for a legitimate interest.”
However, this does not automatically mean that all processing for marketing
purposes is lawful on this basis. You still need to show that your
processing passes the necessity and balancing tests.
When looking at the balancing test, you should also consider factors such
whether people would expect you to use their details in this way;
the potential nuisance factor of unwanted marketing messages; and
the effect your chosen method and frequency of communication might have
on more vulnerable individuals; like children.
Given that individuals have the absolute right to object to direct
marketing under Article 21(2), it is more difficult to pass the balancing
test if you do not give individuals a clear option to opt out of direct marketing when you
initially collect their details (or in your first communication, if the
data was not collected directly from the individual).
The legitimate interests can be your own interests or the interests of
third parties. They can include commercial interests, individual interests
or broader societal benefits.
You must balance your interests against the individual’s. If they would not
reasonably expect the processing, or if it would cause unjustified harm,
their interests are likely to override your legitimate interests.