Legitimate interest or consent?


Both are legal bases for the processing of personal data under the General Data Protection Regulation (GDPR) of the European Union.

So where is the difference? When do we use one or the other?

The legitimate interest allows the processing of personal data after a meticulous weighing exercise in which the interest of the Data Controller is confronted with respect to the interests, rights and fundamental freedoms of the Data Subjects.

In addition to this analysis, it must meet the following characteristics:

  • Be lawful
  • Be sufficiently specific and represent a real and current interest.

We will not be able to use it if the processing includes specially protected data, since it is not included as an option in art. 9 RGPD.

Consent requires an affirmative manifestation of will on the part of the data subject. It has four characteristics:

  • It must be free
  • Informed
  • Unambiguous
  • Specific.

In addition, it must be demonstrable and can be revoked at any time. If the data processing includes the specially protected data referred to in art. 6 RGPD, consent must be express as an additional security measure.

Some processing operations are already duly identified as likely to use Legitimate Interest: Fraud prevention, direct marketing, contact details of individual entrepreneurs and liberal professionals, etc.