GDPR provides six (6) grounds for processing personal data

The GDPR provides six (6) grounds for processing personal data, referred to as Lawfulness of Processing.. [GDPR Article 6, paragraph (1)]. They include Consent  [GDPR Article 6, paragraph (1a)], Performance of a Contract  [GDPR Article 6, paragraph (1b)], Compliance with a Legal Obligation [GDPR Article 6, paragraph (1c)], to Protect the Vital Interests of the Individual  [GDPR Article 6, paragraph (1)d], to Carry Out a Task for Public Interest  [GDPR Article 6, paragraph (1e)], and for the Purposes of Legitimate interests [GDPR Article 6, paragraph (1f)].  Processing shall be lawful only if and to the extent that at least one of the these applies.

GDPR and Legitimate Interest

Legitimate Interest. The GDPR provides six (6) grounds for processing personal data and "Legitimate Interest" is one of them. [GDPR Article 6, paragraph (1)].  Legitimate Interest is also one of the exceptional basis for data transfer outside of the EU. [GDPR Article 49, paragraph (g)].

For compliance, the controller must also disclose at the time of personal data collection, the purpose for processing the data, as well as the legal basis for collecting the data. [GDPR Article 13, paragraph (1c)]. If the legal basis it "legitimate interest", the controller must describe that legitimate interest. [GDPR Article 13, paragraph (1d)].

Transparency is an explicit requirement of GDPR

Transparency is an explicit requirement of GDPR, where it states in its first principle that personal data must be "processed lawfully, fairly and in a transparent manner...." [GDPR Article 5, paragraph 1(a)] .

The controller is responsible for demonstrating compliance with transparency. [GDPR Article 5, paragraph 2] .

The controller must provide information to individuals in a concise, transparent, intelligible and easy to access form, using clear and plain language. [GDPR Article 12, paragraph 1] .