GDPR Article 6, paragraph 1(f)"processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child."
CIPL - Centre for Information Policy Leadership GDPR Implementation Project
19 May 2017 - TOP TEN MESSAGES ON THE PRINCIPLES OF TRANSPARENCY, CONSENT AND LEGITIMATE INTEREST
CIPL(#8) "Legitimate interest may be the most accountable ground for processing in many contexts, as it requires an assessment and balancing of the risks and benefits of processing for organisations, individuals and society."
CIPL Paragraph 4.4, The balancing test
• The legitimate interest ground is no carte blanche for processing. Instead, the balancing test under legitimate interest requires a context-specific risk/benefit assessment and implementation of potential mitigations as part of organisational accountability.
• Each controller is responsible to ensure that the application of the legitimate interest ground for a new processing purpose meets the relevant balancing test. Moreover, each new or changed proposed processing purpose must be reviewed de novo under the legitimate interest balancing test.
CIPL P 1.1 "... Legitimate interest requires an assessment and balancing of the risks and benefits of processing for organisations, individuals and society. It also requires the implementation of appropriate mitigations to reduce or eliminate any unreasonable risks. This places the burden of protecting individuals on the organisation and shifts it away from individuals. Organisations are in the best position to undertake a risk/benefits analysis and to devise appropriate mitigations, and individuals should not be overburdened with making these assessments and informed choices for all digital interactions and processing of their personal data. "
GDPR Citation (47) "The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing. Given that it is for the legislator to provide by law for the legal basis for public authorities to process personal data, that legal basis should not apply to the processing by public authorities in the performance of their tasks. The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest."
Another version of the 'toon. Thank you Dr. Tim Walters.